Efforts underway to mitigate cyber risks facing US elections
One proposed federal measure, the State and Local Government Cybersecurity Act of 2019, would authorize the U.S. Department of Homeland Security (DHS) to work with state and local chief information officers and election officials to coordinate the implementation of tools, products, resources, policies, guidelines, controls, and procedures to safeguard election systems. The law would also allow DHS to conduct cybersecurity exercises with state and local authorities, and to provide those authorities with cybersecurity training and notifications concerning specific cyber threats.
A second proposed federal measure, the Protecting American Votes and Elections Act of 2019, would mandate paper ballots in federal elections and post-election “risk-limiting” audits, which have been described as being nearly as accurate as hand recounts.
Despite the urgency, it is unclear whether these and similar federal bills will gain the traction needed to be enacted. Nevertheless, in the face of stagnation on the federal level, some states have taken steps to address their election cybersecurity vulnerabilities on their own. In June, for example, the state of Ohio issued an order directing its boards of elections to, among other things, undergo risk and vulnerability assessments in cooperation with DHS, and to provide staff with annual training on cybersecurity issues. Ohio has also made grant funding available to boards of elections to defray the cost of implementing high priority action items identified in a recent statewide election infrastructure cybersecurity assessment.
Importantly, all of this comes against the larger backdrop of major cybersecurity incidents that have rocked cities nationwide. In 2018, for example, the city of Atlanta experienced a ransomware attack that brought many of the city’s services, including the city’s municipal court system and online bill payment tool, to a stand still.
As Election Day draws near, we expect similar and more robust cybersecurity measures to be proposed and implemented.
McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group will continue to monitor and report developments concerning these initiatives.