State of U.S. Election Security
The U.S. Election Assistance Commission (EAC) held the 2019 Election Security Forum this week (August 15th) to determine and explain the current state of U.S. election security. While the topic is contentious given conflicting partisan views on the issue and the failure of recent election security bills, there was consensus among the panelists on all three panel discussions as to the causes of election security woes. Specifically, it was agreed that the primary causes are the end of Windows 7 support, conflicts between certification requirements and patch/upgrade schedules, and poorly addressed security fundamentals.
EAC Commissioner Thomas Hicks succinctly stated the point of the Forum early on: With the U.S. Presidential Election less than 15 months away, it is important to assess election security efforts, where federal money was spent to improve security, and to identify opportunities to make security even stronger.
In March 2018, Congress appropriated $380 million in Help America Vote Act (HAVA) Funds in part to support states and territories in improving election security, primarily via hardware purchases and audit and training costs. Hicks said 85% of that money is expected to be spent by the time of the 2020 election cycle. Further, 90% of that will be spent on improving security, resiliency, and replacing election hardware systems.
Geoffrey Hale, director, elections division, The Cybersecurity and Infrastructure Security Agency, Department of Homeland Security (DHS), one of the panelists at the Forum, said that while the DHS largely focuses on securing databases, it is also concerned with the integrity of voting systems and offers support to partners at no cost. “We are thrilled with election community engagement,” he said. “All 50 states and several major vendors are actively involved.” Hale did not detail the full nature of such involvement.
Microsoft Windows and EAC Certification Conflicts
Panelists agreed that Microsoft ending support for Windows 7 forced a refresh upgrade cycle that stretched limited state budgets and consumed much of the federal dollars Congress provided for election security support.
“Replacing all Windows 7 computers used in registrar voters and clerks of court offices with Windows 10 virtual laptops has cost well over $250,000,” said Honorable Kyle Ardoin, Secretary of State, Louisiana. He said the state is currently leasing voting machines while it completes the RFP process to buy new machines, an issue forced by the Windows 7 end-of-life issue. “Just the leasing of machines has cost us well over $2 million,” Ardoin said.
But patches are a problem too, not just the operating system upgrades. Microsoft releases patch updates every second Tuesday of every month. Louisiana’s IT division checks and tests updates and upgrades pre-deployment to test for breakage or other problems downstream.
“What I mean by breaking things is that all our bandwidth was consumed at one colocation site during qualifying in our rush to deploy Windows 10. We had to temporarily block Windows updates,” Ardoin said. “Vendors will say that you can force updates but doing so breaks EAC certification. This leaves our offices vulnerable to anything that happens.”
Among the panelists was Ginny Badanes, director of Strategic Projects for Microsoft’s Defending Democracy Program who…