2. States should lease rather than own election equipment. A well-known cybersecurity defense is to patch our personal devices, operating systems and apps as soon as vendor updates are released. States that purchase costly election equipment have shown that they, and their vendors, do not maintain the same cyber-hygiene – thereby putting every voter and democratic outcomes at grave risk.
A case in point is Georgia. Its voting machinery was purchased in 2002 (largely with federal funds) and has been unsupported by the vendor since 2005. Imagine — no patches, updates or improvements in 14 years as the very sophistication of cyberattacks has evolved from simply defacing a website to today’s ransomware that holds hostage an entire city (Atlanta, 2018) or hospital systems (nationwide, 2016).
The better alternative for all states, regardless of which type of voting equipment they use, is to lease rather than own. This shifts the maintenance responsibility and some liability for cyber-defense back to the vendor. It allows states to regularly re-examine voting equipment against the latest technological landscape. Finally, it could be far less expensive.
3. Cybersecurity is now a primary responsibility of every Secretary of State’s office. Long considered a neutral office largely free from political strife, Secretaries of State are now in the middle of a tempest. The amount of data and processes they manage make Secretaries of State prime targets for cyber manipulation, data theft, and nation-state malfeasance. Cybersecurity here should not be a task assigned to just a few IT employees; it is essential to every function of the Secretary of State’s office. Personnel need widespread training on cybersecurity defense. These offices deserve to be appropriately staffed and funded for such an important mission. State legislators must re-examine – not only which new election systems to adopt – but also how much to appropriate for cybersecurity staffing and training.
The public has a right to be concerned about election security despite any hard evidence of tampering to change votes. Cyberattack is the new, “perfect” weapon, and is being continuously developed and targeted at our valuable assets. Our nation is watching Georgia, and Georgia has waited too long to act. It has famously become the epicenter of debate over voter disenfranchisement and election mismanagement. Yet, regardless of political affiliation or bias, I hope the country realizes that we all have a stake in this debate. For everyone’s sake, I hope the points made here remind us how united we can stand.
Wenke Lee, Ph.D., is a professor of computer science and John P. Imlay Jr. Chair at the Georgia Institute of Technology, where he also serves as co-executive director of the Institute for Information Security & Privacy. He has published nearly 150 research articles about cybersecurity and is a Fellow of the Association of Computer Machinery (ACM).He became an American citizen in 2000.