Alabama

In the wake of unsuccessful cyberattacks against the state voter registration database in 2016, Alabama Secretary of State John Merrill stated, “While it is encouraging that our efforts to protect Alabamians’ data have proven to be successful, we must remain vigilant and prepared for the constantly evolving threats to our voting systems and the integrity of those processes. We will utilize every resource available to ensure we are protecting the data of all Alabamians.”

As part of these ongoing efforts, Secretary Merrill has welcomed public and private election security partners, such as the U.S. Department of Homeland Security (DHS), into Alabama, taking advantage of a wide range of free resources available to further improve Alabama’s election security risk posture. These partnerships are critical to many states that are, in Merrill’s words, “not rich when it comes to resources that are available for discretionary purposes or specifically [election security].”

While these partners can help identify vulnerabilities, best practices, and important support functions, they do not fund the personnel, training, and security measures necessary to secure vulnerabilities in Alabama’s election system. For these reasons, Secretary Merrill supports federal block grants for funding specific election security projects in the states and believes such grants “would be very helpful” to Alabamians.

Allocation of 2018 Federal Election Security Funds

Federal grant: $6,160,383

State match: $308,020

Total: $6,468,413

Alabama has designated the entirety of its federal election security grant and state matching funds toward the following four projects:

Voter registration database upgrades and maintenance. With “more voters registered and more ballots being cast than ever before,” the state is devoting $3 million to improve the voter registration database and its security features through upgrades, such as two-factor authentication (2FA), to ensure that voter data is secure and reliable.

With “more voters registered and more ballots being cast than ever before,” the state is devoting $3 million to improve the voter registration database and its security features through upgrades, such as two-factor authentication (2FA), to ensure that voter data is secure and reliable. Computer equipment replacement and upgrades. The state is providing new computers and related equipment to each of the five primary election officials in all 67 counties at an estimated cost of $300,000. Alabama officials expect to complete this project by September 30, 2019. One of the many cybersecurity challenges faced in Alabama and several other states is related to the security practices of the users of a shared system, such as a statewide voter registration database. By providing computer equipment directly to local officials, the state can ensure that users across the state are implementing basic cybersecurity measures, including antivirus software installation.

The state is providing new computers and related equipment to each of the five primary election officials in all 67 counties at an estimated cost of $300,000. Alabama officials expect to complete this project by September 30, 2019. One of the many cybersecurity challenges faced in Alabama and several other states is related to the security practices of the users of a shared system, such as a statewide voter registration database. By providing computer equipment directly to local officials, the state can ensure that users across the state are implementing basic cybersecurity measures, including antivirus software installation. Postelection audits. The state designated $800,000 for postelection audits. This process is an essential election security bookend to the critical election measure already in place, paper ballots. While many of the audit-related costs will be incurred at the local level, the state plans to assume or reimburse all costs associated with implementing robust postelection audits, as local election officials simply don’t have the funds to underwrite this project. The state is currently working with election security experts to determine the best options for Alabama, and the first pilots are expected to be scheduled in calendar year 2019.

The state designated $800,000 for postelection audits. This process is an essential election security bookend to the critical election measure already in place, paper ballots. While many of the audit-related costs will be incurred at the local level, the state plans to assume or reimburse all costs associated with implementing robust postelection audits, as local election officials simply don’t have the funds to underwrite this project. The state is currently working with election security experts to determine the best options for Alabama, and the first pilots are expected to be scheduled in calendar year 2019. Addressing cyber vulnerabilities. The state designated $2.3 million for various cybersecurity enhancements, improvements, and fixes. Working with a variety of partners, the state plans to “investigate, implement, and identify new technologies” to help reduce or eliminate cyber vulnerabilities. As an example, the state previously fixed an official state elections website vulnerability that had been publicly identified by a private cybersecurity firm.

Additional Unfunded Security Needs

Alabama election officials identified two unfunded election security projects: legacy voting equipment replacement and development of a “cyber navigator program.”

Legacy voting equipment replacement. Alabama election officials in every county except Montgomery use legacy voting systems that are more than a decade old, including AutoMARK voting systems, used in 66 counties, and M100s (precinct count optical scanners), used in seven counties.

These aging voting systems are a security risk and less reliable than voting equipment available today. Older systems are generally “more likely to fail and are increasingly difficult to maintain.” Specifically, as neither the AutoMARK nor the M100 is currently manufactured, finding replacement parts will be increasingly difficult over time. This problem exacerbates the system-specific security concerns that have been reported to the EAC or by Verified Voting, such as inconsistent vote tallying and reboot times of 15 to 20 minutes. Moreover, these systems simply lack important security features expected of voting machines today, such as hardware access deterrents for ports.

State and local election officials would consider using additional election security funding to replace these legacy systems. Bullock County Court of Probate Judge James Tatum, the local chief election official, explained, “Our [AutoMARKs] are old and becoming very difficult to maintain . . . I would like to have the most secure equipment, cyber training, and election security [tools], but we simply can’t afford it.”

Judge Tatum further explained that although “Secretary Merrill is a champion of rural counties,” they often must do without the tools and resources available in wealthy counties. “While Huntsville and Birmingham can afford these [replacement] costs, when you’re talking about rural counties, we simply can’t afford these costs no matter how much they would improve our election security. For example, we would be responsible for paying for training. Of course, we have to compensate our poll workers for their time when they come to training. We can’t afford it. Rural counties are all in need of some additional resources.”

Development of a “cyber navigator program.” Election officials would like a state program that provides election security and cybersecurity professional services to local election officials.

Illinois recently developed such a system, where cyber navigators with responsibility for geographic zones will work across the state with local election officials to train relevant personnel and lead risk assessments and evaluations, among other things. They will fill a role akin in many ways to that of a chief information security officer for counties. Their assessment and evaluation efforts will help officials identify vulnerabilities and determine where additional resources may be needed to shore up cyber defenses. The program’s other principal components are infrastructure improvement and information sharing.

Without a state resource for cyber assistance, local election officials, such as those in Bullock County who do not have dedicated IT staff, may be at greater risk of a successful cyberattack. Local election officials consider the state a trusted partner and know personnel are available to address all voting equipment technical questions. However, without a cyber navigator–type of program, local election officials may not have sufficient resources to appropriately respond to identified cyber threats to local systems or equipment, such as those risks shared by the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).