The U.S. Election Assistance Commission (EAC) held the 2019 Election Security Forum this week (August 15^th) to determine and explain the current state of U.S. election security. While the topic is contentious given conflicting partisan views on the issue and the failure of recent election security bills, there was consensus among the panelists on all three panel discussions as to the causes of election security woes. Specifically, it was agreed that the primary causes are the end of Windows 7 support, conflicts between certification requirements and patch/upgrade schedules, and poorly addressed security fundamentals.

The EAC’s Tom Hicks

EAC Commissioner Thomas Hicks succinctly stated the point of the Forum early on: With the U.S. Presidential Election less than 15 months away, it is important to assess election security efforts, where federal money was spent to improve security, and to identify opportunities to make security even stronger.

In March 2018, Congress appropriated $380 million in Help America Vote Act (HAVA) Funds in part to support states and territories  in improving election security, primarily via  hardware purchases and audit and training costs. Hicks said 85% of that money is expected to be spent by the time of the 2020 election cycle. Further, 90% of that will be spent on improving security, resiliency, and replacing election hardware systems.

Geoffrey Hale, director, elections division, The Cybersecurity and Infrastructure Security Agency, Department of Homeland Security (DHS), one of the panelists at the Forum, said that while the DHS largely focuses on securing databases, it is also concerned with the integrity of voting systems and offers support to partners at no cost. “We are thrilled with election community engagement,” he said. “All 50 states and several major vendors are actively involved.” Hale did not detail the full nature of such involvement.

Microsoft Windows and EAC Certification Conflicts

Panelists agreed that Microsoft ending support for Windows 7 forced a refresh upgrade cycle that stretched limited state budgets and consumed much of the federal dollars Congress provided for election security support.

“Replacing all Windows 7 computers used in registrar voters and clerks of court offices with Windows 10 virtual laptops has cost well over $250,000,” said Honorable Kyle Ardoin, Secretary of State, Louisiana. He said the state is currently leasing voting machines while it completes the RFP process to buy new machines, an issue forced by the Windows 7 end-of-life issue. “Just the leasing of machines has cost us well over $2 million,” Ardoin said.

But patches are a problem too, not just the operating system upgrades. Microsoft releases patch updates every second Tuesday of every month. Louisiana’s IT division checks and tests updates and upgrades pre-deployment to test for breakage or other problems downstream.

“What I mean by breaking things is that all our bandwidth was consumed at one colocation site during qualifying in our rush to deploy Windows 10. We had to temporarily block Windows updates,” Ardoin said. “Vendors will say that you can force updates but doing so breaks EAC certification. This leaves our offices vulnerable to anything that happens.”

Among the panelists was Ginny Badanes, director of Strategic Projects for Microsoft’s Defending Democracy Program who…

…addressed the patch schedule conflicts with EAC certification. “We should be focusing on how to remove disincentives created by requiring recertification after patching or updating the system,” said Badanes. “In our perception there is a lack of clarity about if and how a security update could be applied without triggering recertification.”

Microsoft’s Ginny Badanes

“We should stop giving administrators the choice between using systems with known vulnerabilities and taking their systems out of certification,” Badanes added.

Ardoin added that ongoing support costs will continue to drain state election security budgets. When EAC Commissioner Hicks asked what else the federal government could do to help secure the 2020 and 2022 elections, Ardoin replied: “Can you convince Microsoft not to charge us? That would be a good start. It’s pretty expensive, our part is $300 per unit for a three-year period.”

While these problems affect a large number of states, Jerome Lovato, director of testing and certification at U.S. Election Assistance Commission (EAC) said “not all voting systems operate on Windows, there are also Linux, Android, and other operating systems” in play.

Unaddressed Fundamentals

Like their private sector counterparts, the public sector sees gaps in covering the security basics.

“Like the rest of the people here, we see a need to do the fundamentals,” said DHS’ Hale. Specifically, he cited maintaining system integrity with exploit detection, sound email security practices, and strong incident response plans as crucial.

Matt Scholl, chief of Computer Security Division at National Institute of Standards and Technology (NIST) reminded everyone present that reputational risk is as important as security risk. In the end, public trust means everything. NIST provides guidance, toolsets, metrics, and information to aid state and local governments (as well as many other entities) in securing technology and infrastructure.

MSSP and Security Provider Takeaways

For MSSP and security providers looking to strengthen their election security offerings, or add a competitive edge, for existing or potential state and local government customers, the following insights gleaned from the Forum panelists and subsequent Q&A sessions may be helpful: