For the past three years, the state has stepped up its training, outreach and coordination to protect county election systems, with the Office of the Chief Information Officer playing a key role.
Over the past several years the state of Iowa has undertaken a massive effort to increase election security, investing in cybersecurity and training as a means to prevent bad actors from deterring voter turnout.
"First in the nation in voting demands, first in the nation security," said Secretary of State Paul Pate, at a press conference in August of 2018, publicly announcing the goal of expanding cybersecurity services to counties throughout the state.
Pate's efforts began in 2015, when he made clear to state officials his intentions to create a "Human Firewall" against voter election interference. Training, outreach and coordination with counties throughout the state was the process by which Pate planned to expand and secure coverage. These efforts have culminated in an increase in county access to protective services offered by the state.
For example, in August 2018, only 27 of Iowa's 99 counties were participating in cybersecurity services offered by the Office of the Chief Information Officer. Now, less than a year later, all 99 counties have signed up for at least one cybersecurity service from the OCIO, and as many as 90 counties are now covered by three or more services, according to the office.
The threat to voting security in the U.S. has grown in recent years. In 2016, two of Florida's 67 counties had their election systems breached by Russian hackers. Information about the attack surfaced in the Mueller report released earlier this year. The hacking attempt, which appears not to have led to any changes in votes, has raised awareness and an increase in federal, state and local resources and coordination to improve election security, according to Wired.
In Iowa, the recent increase in stepped-up election security strategies is the byproduct of the last three years of work, as well as of myriad partnerships between the OCIO and state and federal organizations, including the Department of Homeland Security, the Iowa National Guard and the Iowa Counties Information Technology organization.
“We’re a big target because we’re the first to start elections," said Jesse Martinez, IT specialist with the Information Security Division (ISD) of the Office of the Chief Information Officer, which is in charge of security operations. "So that can make us an attractive target for cyberattackers.”
The recent 2018 elections were a good test for the defenses that have been built up over the last several years, Martinez said.
“We wanted to make sure that they had cybersecurity services in place — tools and intelligence that would give them a good defense and prepare them for anything that could potentially happen with the elections,” he said.
The Department of Homeland Security has also played a big role in this process, supplying grant money for added security programs and procedures, while also conducting intelligence sharing about potential bad actors and threats to infrastructure, Martinez added.
“[The ISD's] part in that would be offering cybersecurity services [to counties]: security awareness training, intrusion detection systems, vulnerability scanning and anti-malware,” Martinez said.
Most counties have security procedures in place, but the ISD looks to identify and fill security gaps that may exist.
“Some counties have a good, solid IT staff and some counties just don’t,” Martinez said. “Even the counties that have IT, they can kind of be overwhelmed [with other activities]; they’re doing the regular stuff and cybersecurity is off to the side, so we can supplement them with our services and help in any way that we can.”
Hackers will scan for vulnerabilities far before elections so that they can identify weak spots for exploitation. When it comes to Election Day, they try to target vulnerable areas.
“The main thing they want to do is [spread] disinformation and obviously change results if possible, but also undermining the election’s process as a whole and chipping away at public confidence," he said. "So we want to try to get ahead of them. We want to make sure that machines are patched for vulnerabilities. There are systems that can do continuous network monitoring. We have back up programs in place — two factor authentification programs.”
Much of this assistance can be rendered through the ISD's Security Operations Center, a large office created several years ago for live monitoring and defense operations that assists with protection during elections. Still, so much of security is simply about education and proper training of state employees in preparation for potential incidents, Martinez added.
“We want to pass as much information along as we know and give them an opportunity to self-assess or ask for help,” he said.