The Technical Guidelines Development Committee’s (TGDC) cybersecurity working group doesn’t know what to focus on in terms of voting security less than two months from Election Day.
“It’s not clear where to go or whether our group should do anything on this,” said David Wagner, computer science professor at the University of California-Berkeley and member of the TGDC.
The TGDC serves an advising role to the Election Assistance Commission and doesn’t have any enforcement power.
“Should we try to continue at this stage or should we simply move on?” Wagner asked the committee.
The cybersecurity working group identifies election security principals, looks at election use cases, articulates security best practices, and finds and prioritizes risks.
“We need your guidance to enable us to do our work to figure out what is in scope,” Wagner said. “Most of [the systems] we can handle if you tell us to develop specific requirements.”
The committee declined to outline specific requirements in case their best practices duplicated other agencies. Instead, they chose to leave the cybersecurity issues to the Department of Homeland Security to handle.
“In some states ballots have already been received,” said Matthew Masterson, designated Federal officer for the EAC.
The committee said that time has run out to enact last-minute cybersecurity regulations, especially because the EAC has always been monitoring and making updates to the security of elections.
“Election officials are constantly adapting and improving to mitigate risks,” Masterson said.
Wagner said voter registration systems are more vulnerable than voting machines and that election officials should develop contingency plans in case something were to happen to the systems on Election Day. For example, election officials should know what to do if certain registered voters aren’t showing up in the system on Election Day because of a data breach.
“Contingency planning, I would say, is the No. 1 thing,” Wagner said.
Wagner also said that election officials could use new methods of evaluating voting systems. Officials could use innovative auditing techniques after the election to assess the success or failure of the machines and use evidence-based voting notions to measure the performance of the systems in the field.
Wagner said that voting systems should include automatic security updates at least by the time of the next presidential election.
“We need to be able to respond to risks and threats as they’re discovered,” Wagner said.
Willie E. May, committee chair, undersecretary of Commerce for Standards and Technology, and the director of the National Institute of Standards and Technology, said that DHS, NIST, the EAC, and the FBI are continuously engaging state election officials in cybersecurity discussions.
“We all are very aware of the need for such these days,” May said. “Recent cyberattacks…has us on high alert here in the U.S.”