Deborah Snyder, CISO of New York State, recently sat down with SC Media to discuss election security for the 2018 midterm elections and beyond. Her responses are slightly edited for clarity.
SC Media: Last July, Gov. Andrew Cuomo announced the allocation of $5 million in Fiscal 2019 state funds toward securing contracts for third-party election security services that local municipalities can use as needed. How is this process going?
Deborah Snyder: The state recently orchestrated three separate contracts. The first is… risk assessment services – on-site support for local boards of elections to take advantage of risk assessments and to be able to understand whether systems could be potentially vulnerable, and be able to act to remediate. So those services are out there happening as we speak. A contract has been awarded and there’s an individual entity out there conducting those services.
The second is intrusion detection devices, which is the deployment of devices that prevent and detect intrusion. So agencies, organizations of the counties can take advantage of those devices if they don’t already have them in place. Many local entities already have intrusion detections devices and services in place. So if you need them, they’re available to consume.
The third is managed security services, which is essentially watching, from [an] external standpoint, what is trying to get into your networks? And reporting and alerting, almost like an Albany radar, if you will. So those services are available if, again, an entity does not have them. All of these are part of the $5 million investment that the state has made in protecting election systems under Governor [Andrew] Cuomo, and are very well received by the local entities. I have to give a plug to our folks in the state board of elections for orchestrating these services to make them available, because they’re very much a part of the basic foundation of services you should have in place.
SC: Let’s talk about 2018 elections now. New York State uses paper ballots instead of electronic voting, which certainly reduces the risk of foreign influence coming into the midterm elections. What other key protections are currently in place?
DS: As you stated, New York is somewhat advantaged by the fact that we’re still a paper-based system, which isolates us from internet-connected attacks, if you will. There’s a lot of crosschecks and a lot of audits in those systems in terms of reporting the votes...
The state board of election’s systems underwent a security review under the direction of the governor, as did the Department of Motor Vehicles’ voter registration system, which essentially collects information from a voter when they’re registering and passes it along to the counties. (I will clarify that the state Department of Motor Vehicles does not take it the next step. That’s done at the local level, where they reach out and verify and validate the voter and make sure that you are who you say that you are before they register you to vote. They just are a collector of that data and a facilitator of voter registration.) So that process was also reviewed and the security found to be what it needs to be, to be in place.
So, I think in sense of a full and comprehensive review of all the systems, voter infrastructure, if you will, that that’s where New York State has led the charge, in making sure that we’re protecting everything at every level.
SC: And you conduct training exercises as well, correct?
DS: One of the things that I’m very pleased about is that we conducted a first-of-its kind, statewide series of regional tabletop exercises that were focused on cybersecurity preparedness and responses to threats to elections systems specifically. And that was hosted by the state board of elections and the U.S. Department of Homeland Security in partnership with the state agencies that play a role in the states’ overall cyber. So, of course, Office of Information Technology Services and the New York State Intelligence Center and the Department of Homeland Security emergency preparedness were involved and engaged in those exercise scenarios. And they replicated a very realistic scenario where attackers were attempting to undermine voter confidence and interfere with their operations and affect the integrity of elections. So they… very much shined the light on where preparedness and plans needed to be tightened up to make sure that we were prepared and able to respond effectively.
SC: Are there any other current election security efforts that you’d like to recognize?
DS: I think our critical partnerships with the federal Department of Homeland Security and the Multi-State Information Sharing & Analysis Center and the Elections Infrastructure Information Sharing & Analysis Center, and also law enforcement, have made a big difference. Obviously, if you operate in cyber silos, the disadvantage is that you don’t have a shared awareness of what the threats are at any given point, and in such situations you need to have real-time awareness and real-time intelligence.
So those partners and the exercises that we’ve done, as well as the governor’s unconditional commitment to actively raising public awareness [have helped]. I mean just recently he warned citizens of voter registration scams after a few of our counties reported receiving calls and text messages that offer to register individuals to vote requesting personal information over the phone. You just know someone’s going to fall prey to those types of situations.
The state board of elections also issued warnings to the citizenry, because cyber isn’t simply about technology, it’s about raising public awareness. It’s about what people know and do, and so to the citizenry, I would just say, make sure that you check your facts. Don’t get your news from social media, get it from reputable news sources, and be aware of things that can happen. Heed the alerts and heed the warnings that are publicly available.
SC: And finally, what are your thoughts on states that do still rely on direct-recording electronic voting machines, particularly those that do not have a paper-based audit trail?
DS: I think any system that’s internet-connected is potentially vulnerable, and so if a state has a system that is, they need to be attentive to basic security protocol and aggressively work to contain those systems. But insofar as connected systems, the reality is that if you put your systems into that position, you have to be ready to protect them.