Fourteen months later, Americans are still talking about the 2016 election. Discussion continues in regard to Russian interference, and perhaps most significantly, cybersecurity and election infrastructure. I believe a piece that is missing from these discussions is the work going on in states to secure our systems and to prepare for potential threats.
In Indiana, we take great care to prepare our election administrators for each cycle, and in partnership with localities, other states, and the federal government, we are developing new answers to security concerns and election policy. On a national level, The National Association of Secretaries of State (NASS), a bipartisan organization comprised of Secretaries of State from around the country, is working to develop best practices and to get states the information they need from the federal government.
I currently serve as President of NASS, and I sit on the NASS cybersecurity task force. Our organization has been working with the Department of Homeland Security (DHS) to get Secretaries of State security clearances, so secretaries and their staff can access information held by the federal government. This access represents a huge step forward for election administrators, as we are now able to bring state government resources alongside the resources of DHS, the FBI, and other federal agencies. The timing is important given the increasing number of cyber threats from around the globe, and hackers’ interest in penetrating election systems and manipulating election processes.
In Indiana, the security of our systems is of the utmost importance. I personally spend at least an hour a day on this topic and on many days much more. Before I dive into our election security practices, a word on Indiana’s electoral infrastructure is warranted here. It is important to know that no piece of Indiana’s voting equipment is online. The machines and tabulators are not connected to the internet. We have a mechanism known as the Voting System Technical Oversight Program hosted by Ball State University that tests all of the election equipment used in Indiana for an added layer of safety and security. We also do public tests in all counties prior to an election.
In addition to physical security, information is a powerful defense. A great tool has been the Multi-State Information Sharing and Analysis Center (MS-ISAC), an independent entity that partners with DHS, which allows us access to 24/7 security information, threat notifications, and security advisories. We also communicate with our own state information center and our vendors to put policies and procedures in place to protect our systems. We have a working group under Governor Eric Holcomb’s cybersecurity council that is creating best practices to secure our state systems.
There is also proposed legislation in the Indiana legislature—which meets until March of this year—that is currently under discussion. One bill would require counties to report security and election issues directly to the Secretary of State, allowing my office to share potential issues with other counties and states in an efficient manner. Another bill would require that voting machines used in Indiana could only be sold or resold for official use, preventing hackers access to machines.
In 2017, hackers gathered for their annual Defcon conference in Las Vegas. They bought old machines and attempted to penetrate the systems. This garnered a lot of media attention saying the equipment was not secure and easily manipulated. Hackers given unlimited access to many types of machines could allow for the manipulation of the equipment. It is important to note that county election officials who own the machines in Indiana vigilantly protect access to the machines. When the machines are not in use for an election, they are under lock and key. During voting hours, poll workers watch voters to ensure tampering with machines does not occur. A voter only has two minutes to cast their ballot. No one is given unlimited access to the machines.
Our preparation does not stop at the state level. Elections in Indiana are largely administered by the county election office, which serves as the first line of defense against threats. In order to prevent unauthorized access to election databases, we are currently working on a multifactor authentication protocol which uses a token validation method. This method requires users to insert a USB token into their computer and enter a token ID, used to validate user access into the Statewide Voter Registration System (SVRS) after the user correctly enters their user name and password. This validation will only be operational during set work hours, and a separate authorization will need to take place for after-hours access.
Furthermore, we have instituted staff training at the county and state level to teach employees how to identify phishing scams. While phishing scams are incredibly simple, they are often effective and can be prevented. In a traditional phishing scam, a potential hacker sends an email to a staff member. If the staffer clicks on the link in the email, it can give the hacker access to their computer and systems to which the employee has permission to access. Our training program is focused on educating staff about what to look for and how to report it.
The way Indiana runs elections is probably going to change as a result of the aforementioned cybersecurity concerns. Some are even going so far as to call for a return to paper ballots. I am skeptical that is the answer, and believe there are options for us to continue moving elections forward using technology. When I was a county clerk, reporting results on election night, paper ballots and lever machines votes didn’t always reconcile. Electronic tabulations do a much better job of tracking each vote and ensuring the number of voters who cast a ballot matches the number of votes cast.
My team and I here in the Indiana Secretary of State’s office and my fellow Secretaries of State across the county will continue to work with cybersecurity experts, DHS, MS-ISAC, and academics to develop the best practices to protect the sanctity of our elections. We must demonstrate to voters that proper precautions are in place to secure their vote. Effective security demands thorough preparation, and thorough preparation only occurs when all parties involved are united in their communication, vigilance, and vision. I am proud to say that I believe Secretaries of State throughout the country are committed to this mission as well as local election officials.
Connie Lawson is Indiana’s 61st Secretary of State. As Chief Elections Officer, she is focused on ensuring the integrity and security of Indiana’s elections.