HAVA Funding Strategy: Part 3—Upgrading Election-Related Computer Systems
HAVA requirements specify how election officials can spend available funds. However, the most intriguing area is more broadly worded than the others: upgrade election-related computer systems to address cyber vulnerabilities identified through Department of Homeland Security, or similar scans or assessments of, existing election systems.
Numerous articles in the media have focused narrowly on potential election-day threats and problems with voting machines. While some states may actually need to replace antiquated voting systems, others may have a more pressing need to improve security in the systems they use every day, not just a few times a year on election days.
So, what are some improvements that might fall under “election-related computer systems”, and which would offer the best return on investment for your office? Here are 8 ways you can improve the security of your elections by upgrading the technology you use every day.
Upgrade Your Operating Systems
Using unsupported operating systems puts the integrity of your data at risk. Windows XP is no longer supported by Microsoft and does not support Transport Layer Security (TLS) 1.1 or greater. TLS 1.1 is the minimum recommended level of encryption for safe web browsing. Using an unsupported operating system to access sensitive applications like a voter registration system is a worst practice. Replacing and/or updating old OS-es should be a top priority.
Replace Aging Workstations
If the computers your employees use are a decade old, they may they be lacking security features, such as the full disk encryption hardware option which comes standard on many devices today. Older systems may be lacking the performance power needed to run modern operating systems, necessary in order to meet recommended encryption standards, or the power to allow your staff to complete their work as efficiently as possible.
Upgrade Voter Registration Systems
Voter registration systems are used every day, not just once a year on election day. Due to the sensitive voter data they contain, and the numerous interfaces they have with other systems (including the public Internet in the case of online registration portals), they are a significantly vulnerable and highly impactful element of the election system. A VRS must feature precisely-engineered technological components constructed for functionality, longevity, and security. While the efficiency and features found in a modern VRS are good reasons to upgrade older systems, the security enhancements for protecting voter data from manipulation and exfiltration is the best reason to use HAVA funds to upgrade your system.
Implement Multi-Factor Authentication
The National Institute of Standards and Technology (NIST) authentication guidelines recommend using a Multi-Factor Authentication (MFA) approach to accessing sensitive information. This requires users to furnish cryptographically secure authentication details as a second step after entering their original username and password, and requires the use of something they have on hand, like a physical token that generates one-time passcodes, or a code sent via text on a smartphone. MFA adds an extra layer of protection, as a hacker may be able to remotely steal a user/password combo, but wouldn’t be able to get the code off a token physically located at the user’s desk. MFA can be used on your workstation, to gain network access, and to log in to your voter registration system, giving these components an extra layer of security.
Invest in Automation
Automation is an easy way to reduce human errors and increase data security. Automatic software updates keep your workstation current, while scheduling backups ensures your data is recoverable. Scanning forms and petitions into a voter registration system—or exchanging data through automated integration with government agencies, and having the system flag data matches for review, reduces manual data entry and the chance of human error, preserving the integrity of your data.
Analyze Hosting Environment
If your servers are old and you’re thinking about upgrading, now is a good time to reconsider if self-hosting is the best strategy. There are highly secure, high performance platforms that weren’t available a decade ago, such as AWS GovCloud and Microsoft Government Cloud. The resources and experience of these providers may be vastly superior to what you can do in-house, such as offering on-demand scalability, infrastructure monitoring, system auditing, extensive access controls, and security certifications such as FedRAMP and ISO 27001.
Improve Integration with Government Services
Improve security of touchpoints with other government agencies by upgrading to TLS 1.2, implementing strong programmatic authentication where needed, and digitally signing requests and responses to prove integrity and validity. These steps will help ensure secure communication with government services for a variety of business components such as payroll system, network, voter registration, and election night reporting.
Invest in a Security, Network, and Infrastructure Audit
While cybersecurity training and testing is necessary, also consider investing in a holistic auditing of all systems from a security and continuity perspective. Do you have data backups, and if so, are they kept off site? Are your network protocols up to date? Do you have encapsulated roles and permissions? These questions and many more can be addressed during an audit to find any potential security vulnerabilities.