The good news is that the thousands of county and municipal governments that administer elections across the US have a variety of effective cybersecurity programs available to them, free of charge.
The bad news is that the vast majority don't use any of them.
In the complex debate about US election security, the focus tends to be on campaigns, parties, states, voting equipment manufacturers, and national trends. But the literal administration of elections, like the printing of ballots, coordinating poll workers, and organizing polling places, falls to more than 10,000 county clerks and local municipalities, according to the nonprofit organization Verified Voting.
And those are the people the Department of Homeland Security would like to sign up for its cybersecurity program.
“There should not be any counties left out, because they can sign up for cyber hygiene scanning,” Jeanette Manfra, DHS’s top cybersecurity official, told BuzzFeed News.
“They absolutely have the ability to be a partner. They might not know about it, so we’ve got to keep working to get the message out,” Manfra said.
Counties in particular have been targeted by foreign government hackers. In 2016, Russian military intelligence sent phishing emails to VR Systems, a voting equipment manufacturer, and to county employees. Six weeks before the election, the FBI and Department of Homeland Security had to frantically alert Florida counties of an unspecified Russian threat.
It’s not that free cybersecurity tools don’t exist. The Department of Homeland Security offers an election-specific version of its threat-sharing program, called EI-ISAC, to anyone who wants it, and has done a number of outreach events around the country in recent months to promote it. All 50 state governments have joined, but county and local governments participating only number about 1,100.
Recently, several major tech companies have created free cybersecurity programs to help secure elections. Jigsaw, Google’s sister company, has Project Shield, which protects nonprofits and newsrooms from DDoS (or "distributed denial-of-service") attacks, and this year made it available to US political organizations. Jigsaw won’t say exactly how many US counties use the service, but their total number of protected sites around the world is fewer than 1,000. Cloudflare’s Athenian Project makes its full cybersecurity service free to US government sites. Around 60 local and county governments are in discussions to use it.
“County governments are enterprises like any other business, and when they have services that are out on the web or connected to networks, they have to be protected like any other businesses,” said Verified Voting president Marian Schneider, who previously was an election security adviser to the state of Pennsylvania.
The US’s decentralized election setup means that attitudes, resources, and priorities vary wildly among its smaller governments.
“We’re playing catch-up. A lot of the technology and the programs available are complex if you’re not from a computer world,” said Barb Byrum, the clerk for Ingham County in Michigan.
Byrum recently began using EI-ISAC, though she’s found its regular cybersecurity updates a little overwhelming.
“I think the reason you’re not seeing clerks embrace the free or low-cost programs is not that we don't want to — it’s that there’s so much on our plate,” Byrum said. “We just got off an August election; now we’re jumping into a November election.”