What's Next for Election Security?
Election security is a big topic, but it resembles a many-legged centipede. Federal contractors face the reality that elections are the purview of state, county and municipal officials. The technical and managerial abilities of these entities vary from what you might expect in a tiny hamlet to what you might encounter in a million-person suburban county.
Aside from the diffusion of authority, the term “election security” encompasses a range of functions, some physical, some electronic. In some ways the voting process resembles the process employed by the U.S. Census Bureau in conducting the decennial count. In using the internet for the first time to gather household data, the Bureau integrated several elements. If notified homes with physical mail containing a unique, one-time-use access code. Upstream it has the challenge of protecting the collected data and verifying that duplicative use is in fact not possible.
Not to push the analogy, but the mail-in Census option resembles the mail-in balloting process that’s expanded so much in recent years. Both electronic and mail balloting are likely to balloon as the coronavirus threat affects nearly every governmental process.
Vendors looking to get a finger-and-toe holds on this market should check out the draft Voluntary Voting System Guidelines 2.0, recently put out for comment by the Election Assistance Commission. The technical committee developing the new standards was chaired by the director of the National Institute of Standards and Technology, Dr. Walter Copan. It’s nearly 400 pages, so you’ll have to do some homework to find clues to opportunities.
It’s not all foreign language though. The guidelines emphasize customer experience, user-centered design, accessibility under Section 508 standards, and online content. And, notably, cybersecurity, principally of voting registration databases. Vendors with experience in systems architecture will find the need for designs that ensure the integrity of each phase of elections, and for maintaining the necessary “air gaps” between system components. For example, voter identifiable information necessary for verification can’t carry over into the voting process itself. The guidelines also emphasize common data formats, use of commercial devices where applicable, and presenting familiar user interfaces.
You’ll encounter fine detail in the proposals. For example, it proposes strict design and characteristics of wireless networks, and where they may and may not be used at all.
Companies with artificial intelligence skill will recognize the requirement for auditability and transparency of results that come out of a “black box.” For example, the standards include this principle: “The voting system produces readily available records that provide the ability to check whether the election outcome is correct and, to the extent possible, identify the root cause of any irregularities.”
As for cybersecurity, the guidelines call for meat-and-potatoes basics of preventing unauthorized access, use of standard cryptographic algorithms, and end-to-end chain of custody protection. You’ll find fine-grained detail for storage controls and the handling of ballot images.
Classic paper ballot or punch card voting systems are inevitably becoming more technology-infused. And touch screen and other basic electronic systems more sophisticated with respect to cybersecurity, chain-of-custody integrity, and overall systems architecture. The challenge for federal contractors or those dealing at the state level will be scaling their service offerings to match the skills and resources of some rather small customers. Vendor-to-vendor, the challenge will be entering a somewhat insular industry with considerable technical debt.