Don’t Rock the Vote: Helping State and Local Governments Fend Off Cyber Attacks


Voting in local, state and national elections could be viewed as a rudimentary form of social media, by which voters share their views and preferences via selection of a candidate or party platform. The distance between this “old school” social media and its multi-headed modern form has shrunk thanks to the advent of electronic voting machines and online voting. But, as always, with the implementation of new technologies comes new risks. Even though some progress has been made to shore up and protect the voting process from cybersecurity threats, there are plenty of ways government data breaches can “rock the vote” outside of the voting booth.

During this past election cycle, there was concern that the voting machines used by local municipalities were vulnerable to cyber attacks. With the November elections behind us, legislators are now looking at ways to address the growing cybersecurity threats to state and local governments. To that end, governments, Sens. Gary Peters (D-Mich.) and David Perdue (R-Ga.) reintroduced the State and Local Cyber Protection Act (S.412), an amendment to the Homeland Security Act of 2002 that would require the Department of Homeland’s National Cybersecurity and Communications Integration Center (NCCIC) to assist state and local governments in the following ways:

  1. Assistance, upon request, in identifying cyber vulnerabilities and appropriate security protections;
  2. Tools, policies, procedures, and other materials related to information security, and to work with state and local officials to coordinate effective implementation of these resources;
  3. Technical and operational assistance, upon request, to utilize technology in the analysis, continuous diagnosis and mitigation, and evaluation of cyber threats and responses;
  4. Assistance to develop policies and procedures consistent with industry best practices and international standards, including cybersecurity frameworks developed by the National Institute of Standards and Technology;
  5. Technical assistance and cybersecurity training, upon request, to state and local personnel and fusion center analysts; and
  6. Privacy and civil liberties training as relates to cybersecurity, focusing on consistency with existing privacy laws and DHS policies, minimizing the retention and use of unnecessary information, and prompt removal of the personally identifiable information “unrelated” to a cyber threat.

The bill has been referred to the Committee on Homeland Security and Government Affairs, and is awaiting further action by the committee. One of the bill’s sponsors, Sen. Peters, described the need for cooperation between local and federal agencies on cybersecurity issues, saying that, “Our nation is facing an ever-growing threat from increasingly sophisticated cyber-attacks, and we are only as strong as our weakest link.” The senator went on to add that “State and local governments face unique cybersecurity threats that can endanger critical infrastructure, as well as residents’ sensitive personal and financial data. This bipartisan legislation will help ensure every level of government has the necessary tools to protect their networks and respond to cyber-attacks.”

As noted in Sen. David Perdue’s press release, analysis from the Brookings Institute has found that state and local governments vary widely in their abilities to respond to cyber-attacks, thus the initiative to provide access to resource and expertise from the federal government. A key take-away from the Brookings Institute’s analysis is that although a need for cybersecurity measures is generally acknowledged, a majority of state and local governments have weak, ad hoc cybersecurity planning in place. Instead of relying on ad hoc plans developing from scratch, reliance on for example security standards established by the National Institute of Standards and Technology (NIST) would be more effective way for local governments to implement cybersecurity policies.

Lax cybersecurity policies and poor practices related to handling sensitive personal data has consequences. For example, a 911 audio tape of a domestic disturbance call leaked to the news media shortly before the election in Troy, New York rocked the 2015 mayor’s race.. Opponents also featured the the leaked audio of the frontrunner’s wife calling 911 in robocalls to voters before the election. Even though the city police characterized the incident as a “verbal argument” between the frontrunner and his wife for which no one was arrested, leaking the 911 tapes had an impact, as another candidate won the election. One could argue that voters have a right to know about the 911 call made by the frontrunner’s wife, but the ability of government employees to leak this type of sensitive information shows how lax privacy and security policies can interfere with elections without targeting actual voting machines.