New York, DHS testing voting systems cybersecurity
The New York State Board of Elections—in concert with the Department of Homeland Security (DHS) in partnership with the Division of Homeland Security and Emergency Services (DHSES), State Police, and State Intelligence Center—yesterday wrapped up the first-of-its-kind series of tabletop exercises focused on protecting the integrity of New York’s electoral systems against cyber-attacks.
The series of regional tabletop exercises—which cover all of New York’s county election jurisdictions—are focused on cybersecurity preparedness and response to threats to election systems, including biometrics.
According to an announcement from New York Gov. Andrew M. Cuomo, the tabletop exercises will identify areas for improvement in cyber incident planning, preparedness, and response through simulation of realistic scenarios attempting to undermine voter confidence, interfere with voting operations, and affect the integrity of elections.
“We have witnessed firsthand the devastating consequences a compromised election has had on our nation and New York will not stand idle and allow our democracy to be infiltrated once again,” Cuomo said, noting, “The people of New York deserve an open, transparent election process they can trust, and these exercises are an integral part of restoring voter confidence and the integrity of our election infrastructure.”
“These exercises, in partnership with state and federal agencies, will provide the needed training to identify and address potential incidents of cybersecurity when it comes to our electoral process,” said Lt. Gov. Kathy Hochul. “We’re committed to ensuring that our elections are free from foreign influence, and we will continue to build off our first in the nation legislation that ensures transparency in political advertising and works to protect the integrity of our elections.”
The information gleaned from the six regional tabletop exercises with state, local, and federal stakeholders hopes to clearly identify and articulate the risks, and to develop necessary steps to safeguard the election process against a cyber-attack.
“These exercises show the seriousness with which federal, state and local officials take the threat to election infrastructure, and the level of cooperation taking place to address it,” said Bob Kolasky, Acting Deputy Under Secretary of DHS’s National Protections and Programs Directorate. “State and local officials in New York have taken a number of steps to improve the security of their elections, and [DHS] stands ready to support their efforts through exercises, information sharing, and by providing our technical cyber analysis and expertise. We look forward to continuing to work together to ensure the security and integrity of future elections in New York.”
Matthew Masterson, Senior Cybersecurity Advisor at DHS’s National Protection and Programs Directorate added, “The Department of Homeland Security values our partnership with New York State as we work together to improve the security of the election process.” He said the “training is just one example of the New York State Board of Elections commitment to the process to secure elections against cyber and other threats. We will continue to support the Board of Elections’ work to ensure the election process is secure and the residents of New York votes count.”
Robert A. Brehm, Co-Executive Director of the State Board of Elections, said, “From some of the most stringent security protocols in the nation for voting systems to taking steps to meet the challenges that cyber threats pose, the board welcomes this opportunity to build upon its already strong relationships with local, state and federal partners to best position itself to protect the election infrastructure of the state.”
New York State Cyber Security Advisory Board Executive Director Dr. Peter Bloniarz, said, “Cybersecurity is an ‘all hands on deck’ effort that takes teamwork and partnership between all levels of government. Under Governor Cuomo’s direction, his administration has worked collaboratively with State and County Boards of Elections and federal authorities to prepare to meet today’s cyber threats. Lessons learned from these tabletop exercises will help New York continue to be vigilant in protecting its election infrastructure.”
According to Cuomo’s announcement, “The exercises will be substantively similar, with several scenarios contoured for each region. The scenarios will be based on a combination of real world events and potential risks facing our election infrastructure. This includes possible social media manipulation, disruption of voter registration information systems and processes, voting machines, and the exploitation of board of elections business networks.”
The exercises are part of the New York election board’s cybersecurity plan approved on May 3 “to further strengthen cyber protections for New York’s elections infrastructure through the Board’s Secure Elections Center. The plan, dubbed ARMOR has four elements:
•Assess the risk to state and county elections systems;
•Remediate the vulnerabilities;
•Monitor ongoing operations; and
•Respond to incidents.
The exercises align with initiatives announced by Cuomo in his 2018 State of the State address, which includes a four-pronged approach shared by the State Board of Elections to further strengthen cyber protections for New York’s elections infrastructure:
•Create an Election Support Center;
•Develop an Elections Cyber Security Support Toolkit;
•Provide Cyber Risk Vulnerability Assessments and support for county boards of elections; and
•Require counties to report data breaches to state authorities.
Earlier, in March, more than 120 election officials from 38 states gathered in Cambridge, Massachusetts to participate in tabletop exercises intended to fortify their election systems against cyber-attacks and information operations. Organized by the Defending Digital Democracy Project (D3P) at Harvard Kennedy School’s Belfer Center for Science and International Affairs, officials dealt with a variety of simulated attacks on election systems.
“State and local election officials are now on the front lines of a battle to maintain trust and confidence in America’s digital democracy,” said Belfer Center Co-Director and former Pentagon chief of staff and “cyber czar” Eric Rosenbach. “Through tabletop exercises like we had this week, D3P is working to help states protect the integrity of their election infrastructure, and we plan to continue working on a strategic framework for protecting democracies in this information age.”
“Secure elections begin with having systems that can withstand cyber attacks. For over a decade, the EAC’s Testing & Certification program has worked with the election community, the National Institute of Standards and Technology and the Technical Guidelines Development Committee to define specifications and requirements voting systems can be tested against to ensure they meet the required standards,” former US Election Assistance Commission Commissioner Matthew Masterson, said last year.
“The most recent iteration of these standards, the Voluntary Voting System Guidelines (VVSG 2.0) (PDF), were adopted on September 12, 2017” and “designed to spur innovations that will give voters the best experience possible while ensuring improved accessibility, security, accuracy, and auditability of voting systems. Expected to be released in 2018, these new testing guidelines will become the most flexible and comprehensive standards against which voting systems can be commercially tested in the United States,” he said.
Last month, however, Biometric Update reported that while other nations are rapidly incorporating biometrics into their voting technologies, the US Congress and states – and local jurisdictions – haven’t seemed to be all that concerned about utilizing biometrics to verify the identities of individuals voting in America, despite the concerns over election machine cyber-tampering that’s continued to be hotly debated since the 2016 elections.
In its report, Observations on Voting Equipment Use and Replacement), the Government Accountability Office (GAO) — Congress’ investigative arm — “did not consider the issue of biometrics as part of our work,” Biometric Update was told by Rebecca Gambler, Director, Homeland Security & Justice issues at GAO. Gambler added, “GAO’s prior work on elections issues also has not addressed biometrics, and thus, we don’t have background or insights to share in this area.”
Meanwhile, DHS chief cybersecurity official, Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and Communications, National Protection and Programs Directorate, told the Senate Select Committee on Intelligence’s hearing on election security in March that, “We have evidence of … election-related systems in 21 states were targeted” by Russia.
DHS’s Office of Intelligence and Analysis Acting Director Samuel Liles testified that by late last September, the Intelligence Community had established that 21 states “were potentially targeted by Russian government-linked cyber actors” by scanning of Internet-connected election systems.
None of these or other officials or experts who appeared before the panel, though, discussed biometrics in their testimony regarding new voting technologies as part of the voting security debate.
Much of the reticence in the US over deploying biometrics in the voting process tends to pivot on privacy rights, although two counties in West Virginia are the first in the nation to test a mobile biometric, blockchain voting application for members of the Armed Forces overseas.
Elsewhere around the world, though, according to the International Institute for Democracy and Electoral Assistance’s (IDEA) information and communication technologies (ICTs) Elections Database, as of 2016 more than 50 countries had adopted biometrics in elections, with significant differences between regions.
Still, in the US, questions regarding the incorporation of biometrics into US voting systems “will have to be examined thoroughly,” Biometric Update was told on background by a senior DHS cybersecurity official familiar with the New York exercises, adding, “I just don’t see how we’re going to be able to adequately secure our disparate systems without doing so. It’s going to take some very heavy lifting by both the federal government … and the states, to get there – perhaps even one standardized system.”