In a report submitted to Congress June 26, the Election Assistance Commission (EAC) provided a comprehensive update regarding U.S. election systems and security, and identified how EAC data can be used to shore up election cybersecurity.
The report was based on the Election Administration and Voting Survey (EAVS), which is conducted following every Federal general election. For the EAVS, the EAC surveyed all 50 states, D.C., and U.S. territories to “provide data about the ways in which Americans vote and how elections are administered.” The EAC said the data from the survey plays “a vital role in helping election officials, policymakers, and other election stakeholders identify trends, anticipate and respond to changing voter needs, and invest resources to improve election administration and the voter experience.”
The EAC discussed how Congress and other governmental agencies can use the survey results to help secure election systems from cyberattacks. EAC noted that the National Institute of Standards and Technology (NIST) developed a framework for “understanding how election officials and other stakeholders may use EAVS data to bolster their efforts to protect against, detect, and recover from malicious cybersecurity activity.”
EAC then used NIST’s five categories to detail how its data can be used.
- Identify and Protect: The report noted that EAVS data can help election officials and other stakeholders “better understand core elements of the nation’s election infrastructure.” The EAVS, alongside the Policy Survey conducted by the EAC, collected nationwide data on the “scope and scale of U.S. elections and on critical issues of election technology” and broke down that data state-by-state and jurisdiction-by-jurisdiction. The survey provides granular-level data on categories ranging from the number of voters served to the number of and type of voting equipment used by jurisdictions. “EAVS data can be used to help identify core assets of U.S. elections infrastructure, outline the cybersecurity threat environment, and inform protection efforts,” the report said.
- Detect: The EAVS data can serve as “baseline information to support the detection of potentially anomalous election activity.” The report identified examples where the data would prove useful, including how “knowing the baseline provisional ballot issuance rate for a given jurisdiction could potentially help election officials detect problems with their voter registration data or e-poll books in real time during polling, which could potentially result from a cybersecurity incident affecting voter registration systems and data.”
- Respond and Recover: “Post-incident analysis is also a core component of cybersecurity response and recovery efforts,” the report said. “The data collected through the EAVS and Policy Survey offer analysts essential baseline information to complement such analyses.” The EAC noted that a specific jurisdiction’s analysis into a cyber incident or vulnerability regarding a specific piece of voting equipment would be strengthened by EAVS data that identify which jurisdictions across the country use this same equipment. Essentially, the data could help extend the results of one jurisdiction’s cyber incident analysis to help other states or localities. The report further highlighted how EAVS data can be used to share best practices and lessons learned across state and jurisdictional lines. The report explained that election officials have “failsafe” mechanisms built into their systems and the EAVS data could help election stakeholders better understand those mechanisms. “For example, the impact of a cybersecurity incident that maliciously altered voter registration records or immobilized e-poll books may be mitigated by the use of provisional ballots or same-day voter registration procedures,” the report said.