The 2016 incident, in which hackers infiltrated Florida county government computers, shows why smaller governments that commonly outsource their election infrastructure to private vendors need a helping hand when it comes to the oversight of those relationships.
Given the increased concern around foreign interference in the upcoming presidential elections — with senators, the White House, and intelligence agencies all warning of probable attempts by Russia, China, and Iran to sway votes — the need for more streamlined security is obviously important.
Most areas of vendor cybersecurity policy are unknown to government partners. The report claims: background check procedures for personnel; the existence of incident response plans; and the state of security for their supply chains; as well as whether the vendor is owned by a foreign national or entity, are all frequently gray areas.
In addition to the concern over foreign infiltration and interference, "the lack of visibility into vendors and their cybersecurity can also contribute to an inability to detect poor practices that might affect vendor performance until it is too late," the report reads.
The researchers suggest the Election Assistance Commission (EAC), an independent bipartisan agency, has the organizational structure to create a federal vendor certification program and a clear protocol for breaches of federal guidelines.
To do this, the EAC would need expanded powers, as well as an increase in its "cybersecurity competency and knowledge," the report argues. A boost in congressional funding, as well as pressure from Congress to staff the agency with dedicated cyberprofessionals, would help.
When it comes to the certification process there a number of factors to take into consideration.
To ensure the integrity of vendor personnel, ostensibly to confirm they are not foreign spies, the EAC should enforce a system of transparency around staffing controls, the report states.
"At a minimum, vendors should describe how they screen prospective employees for security risks, including background checks, and how they assess employees for suitability on an ongoing basis, including substance abuse screening," the report reads, positing that a good role model might be the FBI's system of background checks for U.S. Justice Department attorneys.
Verification of ownership is another key issue, according to the report.
"Lack of transparency into ownership and control of election vendors can mask foreign influence over an election vendor and corruption in local certification and contracting," the authors state, citing a 2018 example of an FBI investigation into a vendor for Maryland that was purchased by a Russian oligarch with ties to Vladimir Putin. To deal with this issue, researchers recommend prohibitions on "significant" foreign ownership and some enforced transparency.
Policies should be developed, too, to ensure supply chain integrity, as well as to create a comprehensive reporting system for potential cyberbreaches and incidents. Vendors should face a strong set of incident reporting requirements, the researchers argue, and vendor products and processes, like voting equipment transportation, software development, and servers, should be indexed for the relative cyber-risks they pose.
Finally, there is a question as to whether states should be obligated to comply with federal standards, or whether a voluntary mandate would be more effective.
The report ultimately argues that a softer approach, or leaving things up to the individual governments, would likely encourage greater participation, rather than forcing cities and states to align with federal regulations.
As long as vendors play such a "crucial role" in U.S. elections, the report concludes, more work needs to be done to ensure they can counter "malicious actors who have already taken steps toward compromising elections and the public’s confidence in our democracy."
