Idaho Deputy Secretary of State Discusses Cybersecurity and the United States Election System

‘Our elections process is complex, it is varied, but it is held dear by those who steward it.’

by Eric Holdeman, Senior Fellow and Contributing Writer / October 31, 2018

Chad Houck is deputy secretary of state for Idaho. Prior to working with the Secretary of State’s office, Houck was a private consultant advising in operational and process improvements in the IT and commerce space. He serves on the Idaho governor’s Cybersecurity Task Force.

The series of questions and answers below delve into one state’s readiness to counter current and persistent cyberthreats from a variety of people, organizations and nations.

What are your duties with the Idaho Secretary of State’s Office relating to the security of elections within the state?

As the deputy, I have been appointed by our Secretary of State to lead the team that oversees cybersecurity for our entire office, from our Business Division to elections. Basically, all online, consumer facing, and internal systems. As such, we monitor, online voter registration, and the voter registration database for elections. Elections, however, are run by our 44 respective counties in Idaho, so we also support them with intel and cyber best-practices.

Do you think all the warnings from federal officials and an unprecedented Aug. 3, briefing on the threats to U.S. elections are warranted?

Absolutely. We have seen first-hand across the U.S. that nation-state actors and international interests are actively looking for exploit opportunities in our systems. The motives are unclear and varied, but the presence and the threats are definitely real.

What are your personal cybersecurity concerns about the November 2018 elections?

Two, really. Defacements and phishing. Defacements are always a big concern. While they amount to little more than digital graffiti and are mostly just an annoyance, they can have a huge impact on consumer trust. The motive is typically little more than eroding public confidence in the system and defacing a relatively associated site like our business division homepage could be seen by consumers as, “The Secretary of State’s website was ‘hacked’…” even though it would be fully disconnected from elections. The second biggest concern is phishing’s growing effectiveness at exploiting the ever-present human factor — inherently the weakest link in any system.

Please describe how elections are conducted in Idaho. Is there vote by mail? Do you have electronic voting machines? Is there a paper ballot backup for every vote?

Our simple safety net in Idaho is that we are a 100 percent paper ballot state. You can vote early or absentee by mail in many counties, but even there we have paper. Some counties use electronic tabulators, but they are air-gapped from the Internet. Some still hand count. It is a diverse system with 44 different counties running 44 unique variations on common themes. That actually lends to the security aspect, since it is extremely hard to manipulate something so federated.

What types of actions has your office taken in response to the potential for foreign or other party interference in the election system?

Our office has taken considerable strides in improving our cyber-resiliency posture. We employ a broad-spectrum approach that includes social media, Web, internal and external systems. We deploy several different layers of software protection, and we look at cyber-responses across the full threat life cycle. That means, for example, that we have protocols not only for limiting access (prevention), but also to identify, isolate, disable, eradicate and mitigate bad actors if prior layers of protection should be compromised.

It is the independent counties that make up a state election system in the United States. What advantage does a decentralized election process have and what complications are caused by having a wide number of organizations administering elections?

The most difficult part of any system is the human error factor. That is why phishing is such a concern. Especially with the timing of the hurricane season and the devastation on the coast right now. It creates an intersection at the familiarity of a specific story in the press with the high empathy of human interest during a disaster. That makes a compelling cover for a bad actor. That said, the divested nature of a decentralized system is also what makes it hard to have a big impact. You would have to reach into many, dissociated systems to swing the totals.

What do you project for future elections? Is this the new normal going forward?

We feel that this is a new normal. It is certainly a race we will be in for the foreseeable future, and it is definitely not a sprint. It means constantly re-evaluating, taking stock of where we are, and adjusting as new intel comes to the surface. That is why the information sharing groups like EI-ISAC [Elections Infrastructure Information Sharing and Analysis Center] and MS-ISAC [Multi-State Information Sharing and Analysis Center] are proving to be a value, along with the services we receive from partners like DHS and the FBI. Knowledge is key to this race.

Lastly, what can tell me about the integrity of the election system in the U.S. and Idaho?

Our diversified system across the country, and those that operate it, is our biggest strength. Democracy is not a computer system. It is not a particular process. It is an ideal. It is the premise that votes, that voices, will be heard. You can try to attack that, but at the end of the day, it will stand. Our elections process is complex, it is varied, but it is held dear by those who steward it. We will, as we always have, find our way forward in this new environment, and those who choose to have a voice through exercising their right to vote will continue to be heard, one ballot at a time.