Why U.S. Election Security Is ‘In A Far Better Place’ In 2024: Kyndryl Security Chief

‘When we work with these jurisdictions, it’s not as if they’re putting in place the protections for the first time—which in former years, that’s what it was. We don’t have that anymore,’ Kris Lovejoy, Kyndryl’s global practice leader for security and resilience, tells CRN.

For solution and service provider giant Kyndryl, working with U.S. jurisdictions on security for the 2024 election has been a smoother process than in past years for one very good reason: “There’s a lot more heightened awareness.”

That’s according to Kris Lovejoy, global practice leader for security and resilience at New York-based Kyndryl, No. 9 on CRN’s Solution Provider 500 for 2024. Lovejoy recently spoke with CRN about how Kyndryl has been helping to bolster election security at numerous jurisdictions around the U.S., with a focus on strengthening the controls used for protecting voting systems.

Lovejoy said there is no question that election security is in a strong position in the run-up to the pivotal Nov. 5 election. While it can’t be denied that there is a “ton of complexity” when it comes to the many disparate U.S. election systems, the high level of awareness about election cyber threats has led jurisdictions to work vigorously on identifying and filling security gaps in preparation for voting on Tuesday, she said.

“When we work with these jurisdictions, it’s not as if they’re putting in place the protections for the first time—which in former years, that’s what it was,” Lovejoy said. “We don’t have that anymore.”

The bottom line, according to Lovejoy, is that “we’re in a far better place than we were before.”

“I think it would be hard to find a jurisdiction that wasn’t taking [security] seriously,” she said.

Here is more of CRN’s interview with Lovejoy.

What is the opportunity for Kyndryl when it comes to election security? What are the big things you’ve been doing for customers in this area?

There are three big areas. One is on the voting machines themselves, and on the software and hardware that’s associated with those technologies. What we find is that many of these voting systems can be pretty old, quite honestly. And sometimes, lacking modern security features makes them potentially more susceptible to hacking and tampering. So I’d say first and foremost, it’s around modernization.

Where modernization is not possible—the institution still has a lot of legacy [equipment]—it’s really around the compensating controls that can be introduced to protect the systems themselves. Or alternatively, if they leverage cloud infrastructure to support voter rolls, balloting, etc., then it’s really looking at that cloud infrastructure and then figuring out, how do we shore that up?

Going back to the legacy aspect of the voting systems, what we’re seeing is that some election systems will actually take legacy software and they’ll put it into a cloud container. And then they run it off the cloud. That’s not modernizing. You’ve still got legacy stuff, but now you’ve got the added complexity of managing the cloud security around it. So what we’re finding is a lot of [demand to] come in and help [election systems] in shoring up the preventative controls, as well as the detection-response and then recovery elements of those infrastructures.

A second big area for us is around supply chain—the supply chain for election equipment and the software that is used to manage the equipment. That has to be managed very carefully in order to prevent vulnerabilities, as well as to ensure that you know when those vulnerabilities are deliberately or inadvertently being exploited, there’s that mechanism to check it and remediate.

Then there’s also logistic systems. You also have to make sure that your software and your suppliers are doing what they need to. So we also do some work around the logistics applications and ensuring that those are working.

Last but not least is really the physical security piece. One of the things people worry about a lot is the data center that hosts the election results or is doing the election processing. And so we do work with customers in and around that particular area, making sure that they have a good data center security design, things are air-gapped the way they need to be.

Are you finding that one of those areas is a bigger priority or focus for election organizations in 2024 than in previous elections?

There’s a lot more heightened awareness. So that’s good. The reality we are finding, though, is that there is a ton of complexity. So there is no standardization across the election system. Every jurisdiction has kind of designed its own approach. There’s no theme [to the election security investments] because there’s no one system, there’s no one setup. It’s just a very organically grown ecosystem. When we work with these jurisdictions, it’s not as if they’re putting in place the protections for the first time—which in former years, that’s what it was. We don’t have that anymore. Now it’s really about [the fact that] these organizations have identified through active testing that there may be some gaps. And they’re using us to kind of fill those gaps. But as I said, in preparation for this particular season of elections, there hasn’t been one thing I would say is ubiquitous.

Given the higher level of awareness you mentioned, do you have any sense if the level of investment is higher when it comes to modernization this election?

If there’s been investments going in, it’s been on the front-end of the system—so it’s in voter rolls management. So if anything is being modernized, I would say it’s being modernized there.

There’s so much fear and consternation around voting systems today—what kinds of systems can you trust? What does good software and hardware look like? It feels to me like modernization of the voting machinery—the software and the hardware that actually tallies the votes—to some extent, that’s slowed a bit. At least from what we see. We’re focused more on the election rolls and securing the rolls and ensuring limited access to those rolls. That’s the focus.

We need to be hyper-vigilant around the election system, as we do around our water, utilities and our energy generation. And I would say that we’re in a far better place than we were before. But there is a good bit of misinformation and disinformation out there today, which makes people distrust the [election] program. And I do think that’s unfortunate.

All in all, do you have a sense that most jurisdictions are doing the right things when it comes to election security, making the right investments there?

We don’t work with all of them, so it would be hard for me to answer that question. But I think it would be hard to find a jurisdiction that wasn’t taking it seriously.