HAVA-Funded Program Allows for Comprehensive Review
“What you don’t know won’t hurt you” may work in some circumstances, but in other situations the consequences are not worth the risk.
A related maxim came to mind when Chambers County Clerk Heather Hawthorne looked toward a review of the county’s election infrastructure.
“The County Election Security Assessment (ESA) substantiated my initial thoughts of ‘I don’t know what I don’t know!’ ” Hawthorne shared. Her inclination was correct, and the evaluation led to needed improvements to the county’s election plan.
County ESAs are paid for with federal Help America Vote Act (HAVA) funds received by the State of Texas in 2018, explained Sam Taylor, communications director with the Office of the Texas Secretary of State (SOS).
“This program is 100 percent free of charge to each county,” Taylor emphasized.
In March 2018, the State of Texas was provided with approximately $23.3 million in federal HAVA funds to enhance election security, Taylor reported.
In July 2018, the SOS submitted a proposed spending plan to the U.S. Election Assistance Commission which included dedicating funds to provide free election security assessments to county election offices in order to determine what, if any, upgrades are needed at the local level in order to further enhance the security of the election infrastructure.
In August 2018, the SOS and the Texas Department of Information Resources (DIR) officially informed county election officials about the opportunity to receive these free assessments and provided guidelines for initiating the process, Taylor recounted. The ESA program is administered jointly by the SOS and DIR and is conducted through the DIR’s Shared Technology Services, a cooperative purchasing program through which the state has already vetted the vendor and partner – AT&T – and followed all appropriate procurement guidelines.
The program allows all 254 Texas counties to undergo an assessment to review Texas county election infrastructures including people, processes, and technology, specified Gene Moore, client manager with AT&T Global Public Sector.
“We strongly encourage every Texas county to take advantage of these cybersecurity assessments, which come at no cost to the county and will serve as a valuable tool for county election officials as they prepare for the 2020 elections,” Taylor recommended. “While Texas elections have been and remain secure, our office wants to ensure that all Texas counties have the information and resources they need to further enhance the security of their election infrastructure.”
The SOS set aside a portion of the federal funding – approximately $13 million – for remediation expenses that counties may use for needed upgrades after they have completed their security assessments, Taylor specified.
Over a dozen counties have completed their respective assessments, Taylor said. Several dozen others are in the process of gaining contract approval from their respective Commissioners Courts. Approximately two thirds of Texas counties have either begun the process of receiving their free assessments or have expressed interest in receiving one.
Potter County completed the ESA in February; Melynn Huntley, Potter County elections administrator, credits the experience with saving an election. On April 19, a malicious virus infiltrated the county’s computer system. Early voting was set to begin the next business day, April 22.
One of the recommendations following the ESA was the development of an emergency plan, Huntley stated. Thankfully, the new plan was in place by April 19, and Huntley reassured the public that “everything we normally do during an election will function just as it normally does.”
“Our goal is to ensure that all 254 Texas counties take advantage of this free assessment before 2020 so they can implement any security enhancements in advance of the primary and general elections,” Taylor said.
Initiating the Process
All counties should have already been contacted by AT&T, Taylor said. However, if a county has not been contacted or wishes to proceed with an assessment, the county can email the state at ElecAssessment@sos.texas.gov, or reach out to AT&T directly at Gene.Moore@att.com. AT&T will gather the information needed to move to the next step and will be the county’s contact during the preparation phase of the assessment.
After initiating the process, the county should designate a single point of contact to serve as the county’s liaison on all matters related to the assessment, Taylor continued. Next, the county needs to execute an interlocal contract and a managed security services contract with DIR with approval from the Commissioners Court.
After approval, the AT&T team will review the specific Solution Proposal Package with the county and schedule an in-person visit to perform the on-site portion of the assessment, Moore stated. The on-site visit generally takes between one to five days depending on the size and complexity of the county. The full assessment can take several weeks to complete.
The ESA evaluates the policies, processes, technology, and staff involved in the elections process at the county level, Moore summarized. The ESA helps illuminate security vulnerabilities in each area and includes insights and feedback to help counties understand where they may need to fine-tune.
“The goal of the standardized assessment is to help remove the guesswork and pinpoint any issues to show each county how to enhance current security measures,” Moore continued. AT&T uses the National Institute of Standards and Technology Cybersecurity Framework that gives “an easy-to-follow, repeatable process for counties to continue to build on.”
The assessment is comprehensive, Taylor noted, and covers election security procedures including cybersecurity and physical security of all infrastructure related to election administration. The ESA findings are confidential and are provided to the county upon completion of the assessment.
“These results provide a road map for each county on what steps need to be taken to further enhance security, such as strengthening passwords and adding extra layers of cybersecurity safeguards,” Taylor specified. “Many of the enhancements that counties are encouraged to make as a result of the assessments are free or low-cost, such as implementing or updating policies and procedures, improving password security, or cybersecurity training for election officials and their staff.”
The county receives a scorecard that outlines high-level security concerns, recommendations, and a detailed report to support the findings, Moore elaborated. AT&T also schedules a wrap-up call with the county to review all findings, answer any questions, and discuss recommendations to provide for a robust understanding of any issues identified, Moore continued.
Many of the suggestions made following Potter County’s ESA were implemented with zero cost, Huntley shared. For example, the development of a cybersecurity policy and emergency plan, training employees, and updating passwords did not cost the county any money. However, Potter County will eventually make some changes to infrastructure to improve cybersecurity, “but it is not anything we can’t afford,” Huntley specified.
The ESA partners “stand ready to assist the counties with the contractual process for receiving the free assessment,” Taylor offered. “We look forward to working with each Texas county to provide training and resources to keep our elections systems secure and provide Texas voters with confidence that their votes will be counted exactly as they are cast.”
By Julie Anderson