Why US election security is 'in a much better place' in 2024: Kyndryl Security Chief

“As we work with these jurisdictions, it is not the case that they are introducing the protections for the first time – which has been the case in previous years. We don’t have that anymore,” Kris Lovejoy, Kyndryl’s global practice leader for safety and resilience, told CRN.

For solutions and services giant Kyndryl, working with U.S. jurisdictions on security for the 2024 election has been a smoother process than in years past, for one very good reason: “There’s a lot more awareness.”

So says Kris Lovejoy, global practice leader for safety and resilience at New York-based Kyndryl, No. 9 on CRNs Solution provider 500 for 2024. Lovejoy recently spoke with CRN about how Kyndryl has helped strengthen election security in numerous jurisdictions across the US, with a focus on strengthening the controls used to protect voting systems.

Lovejoy said there is no doubt that election security is in a strong position ahead of the crucial November 5 election. While it cannot be denied that there is “a lot of complexity” when it comes to the many disparate U.S. election systems, the high level of awareness about election cyber threats has led jurisdictions to work vigorously to identify and fill gaps in preparation security gaps. before voting on Tuesday, she said.

“As we work with these jurisdictions, it is not the case that they are implementing the protections for the first time – which has been the case in previous years,” Lovejoy said. “We don’t have that anymore.”

The bottom line, according to Lovejoy, is that “we are in a much better place than we were before.”

“I think you’d be hard-pressed to find a jurisdiction that doesn’t take (safety) seriously,” she said.

Here’s more from CRN’s interview with Lovejoy.

What are the chances for Kyndryl when it comes to election security? What are the big things you’ve done for clients in this area?

There are three main areas. One of these concerns the voting machines themselves, and the software and hardware associated with these technologies. What we’re finding is that a lot of these voting systems can be quite old, honestly. And sometimes the lack of modern security features can make them more susceptible to hacking and tampering. So I would say first and foremost it’s about modernization.

Where modernization is not possible – the institution still has a lot of legacy (equipment) – it is really about the compensating controls that can be put in place to protect the systems themselves. Or alternatively, if they’re using the cloud infrastructure to support voter rolls, voting, etc., then they really look at that cloud infrastructure and think, how can we support that?

If we go back to the older aspect of the voting systems, we see that some election systems are actually taking older software and putting it into a cloud container. And then they run it from the cloud. That is not modernization. You still have the old stuff, but now you have the added complexity of managing the cloud security around it. So what we’re finding is that there’s a lot of (demand) to get into (election systems) and help strengthen the preventative controls, as well as the detection-response and then recovery elements of those infrastructures.

A second big area for us is supply chain: the supply chain for election equipment and the software used to manage the equipment. That needs to be managed very carefully to prevent vulnerabilities, and to ensure that you know when these vulnerabilities are being exploited intentionally or unintentionally: there is a mechanism in place to monitor and remediate this.

Then there are also logistics systems. You also need to make sure that your software and your suppliers do what they are supposed to do. So we also do some work on the logistics applications and ensure that they work.

Last but not least, there really is the physical security part. One of the things that people worry a lot about is the data center that hosts the election results or does the election processing. And so we work with customers in and around that specific area, making sure that they have good data center security design and that things are being done properly.

Do you believe that any of these areas will be a greater priority or focus for election organizations in 2024 than in previous elections?

There is much more awareness. So that’s good. However, the reality we are discovering is that there is a lot of complexity. So there is no standardization in the entire election system. Each jurisdiction has designed its own approach. There is no theme (for investments in election security) because there is no one system, there is no one design. It’s just a very organically grown ecosystem. When we work with these jurisdictions, they are not introducing protections for the first time – which has been the case in previous years. We don’t have that anymore. Now it’s actually about (the fact that) these organizations have determined through active testing that there may be some gaps. And they use us to fill those gaps. But like I said, in preparation for this particular election season, there’s not one thing that I think is ubiquitous.

Given the higher level of awareness you mentioned, do you have any idea whether the level of investment will be higher this election when it comes to modernization?

If investments have been made, they have been at the front end of the system, i.e. in the management of the voter lists. So if something is being modernized, I would say it is being modernized there.

There is so much fear and consternation around voting systems these days: what types of systems can you trust? What does good software and hardware look like? It feels to me like a modernization of the voting machine – the software and hardware that actually counts the votes – that has, to some extent, been delayed a bit. At least, from what we see. We are more focused on the election lists and securing the roles and ensuring limited access to those roles. That’s the focus.

We must be hyper-vigilant about the election system, just as we do about our water, utilities and energy generation. And I would say we’re in a much better place than we were before. But there is a lot of misinformation and misinformation available today, which makes people distrust the (election) program. And I think that’s a shame.

Overall, do you feel like most jurisdictions are doing the right things when it comes to election security and making the right investments there?

We don’t work with all of them, so it would be difficult for me to answer that question. But I think you’d be hard-pressed to find a jurisdiction that doesn’t take it seriously.