[Image via northrocktv]
electionlineWeekly’s Mindy Moretti reached out to a group of leading experts on cybersecurity to get their views on what’s next in the field now that the 2018 election is behind us and 2020 is almost here:
Despite months (years) of worry, the 2018 election has come and gone without a whiff of hacking or foreign interference.
In the days following the election, Charles Stewart, III who runs the MIT Election Data & Science Labreported that voters surveyed following the election were 68 percent either very or somewhat confident that local officials had taken adequate steps to secure the election. That was up 15 percentage points since June.
With public confidence high in election security and no reports of any cybersecurity incidents during the 2018 election, how should state and local elections officials be focusing their attention in preparation for 2020?
We asked some of the leaders in the elections cybersecurity field what they will be doing for the next two years and what they would recommend state and local officials focus on as well.
Matt Masterson with the Cybersecurity and Infrastructure Security Agency (a division of the U.S. Department of Homeland Security) said that election officials CISA has worked with and talked to recognize that the risks posed to election systems are not going away and are going to adapt and increase.
After each election most offices take some time to evaluate what went well, what didn’t and how they can get better, Masterson said. As they prepare to conduct that after action report he would encourage them to take stock of their cyber posture.
“Take a full inventory of their systems (every office should have a complete understanding of what systems they have in their office, who owns them, how old they are, and how they are configured and managed), understand their network architecture, review and update their cyber incident response plan, update aging systems, ensure regular and consistent patching of systems, etc. The good news is that DHS/CISA has resources to help support them as they conduct this review.”
CISA can scan their outward facing systems with its remote cyber hygiene scans, conduct a cyber-security resilience review or review their network architecture. All of these services are free and prioritized for election officials!
Masterson said CISA will continue to work to support state and local officials by regularly sharing threat information. In addition, a priority for 2019 is to share information and educate funders, state and local appropriators, on the election risk environment and the real need for regular and consistent funding and resource allocation for election offices.
“We are currently working with all fifty states and over fourteen hundred local jurisdictions. We are proud of that level of partnership and engagement but recognize we have a lot more work to do. We know we need to continue to work with states to ensure information and services are reaching their local election officials, particularly in midsized and small localities. Through projects like the “last mile” poster project and outreach from the EI-ISAC we are hopeful that the election sector will remain our fastest growing sector,” Masterson said.
Additionally, he noted, CISA is excited to build on the work it’s done with the GCC and SCC to understand the scope and nature of the risks to elections and have more in-depth conversations about some of the harder issues in this sector, these include items such as getting to 100 percent auditability by 2020 and improving the efficiency and effectiveness of audits, supply chain management, and patching of election systems.
Ben Spear, director of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) is worried about complacency.
“Complacency is always a risk,” Spear said. “Just because there wasn’t an issue this cycle doesn’t mean there aren’t going to be issues in the future. But the election officials I spoke to seem to believe that.”
Spear said he expects cybersecurity to remain a top concern for elections officials in the next two years, but that for many, it’s now part of their job instead something “new” in addition the other election administration duties they have. He said he’s been cheered to see that so many of the newly elected elections officials have already been reaching out to EI-ISAC.
He said that in the next few months and years it’s vitally important that state and local elections officials continue to focus on training, citing some of the trainings offered by the U.S. Election Assistance Commission, Department of Homeland Security and others. He stressed the importance of building a base knowledge in cybersecurity before then moving on to more detailed training.
In addition to training, Spear said a top priority for all elections officials should be assessing their risk.
“You can’t start to fix something until you do an assessment,” Spear said encouraging officials to get and use CIS’ assessment tool and handbook. “That assessment tool allows you to frame where you stand and where you need to go.”
As for CIS, Spear said the organization will continue to be engaged with counties and states and work with organizations like the National Association of Secretaries of State and National Association of State Election Directors.
“We’re still somewhat drying the ink ourselves and doing some look back at how things went and what we want to do going forward,” Spear said. One thing that is important to me is going forward beyond the Handbook with a roadmap. We only had 7-8 months with the Handbook, now we’ve got two years to really help people formulate their roadmaps.”
And if you aren’t already signed up for the EI-ISAC (What?!? You aren’t?!?!), get signed up as soon as possible.
According to Robby Mook, senior fellow and Mari Dugas, project coordinator cybersecurity is an evolving challenge and that vigilance is the price of success.
“…[T]o stop paying attention now will most certainly mean something bad happens next time,” Mook and Dugas said. “We’ve seen great momentum from state and local elections officials on issues of cybersecurity though, so we hope that continues to be a priority.”
For their part, during the next two years, D3P will continue to be focused on resilience and training. The D3P team is assisting states who are conducting their own table top exercises as a way to expand cybersecurity training to a broader group of election officials.
“The 2016 election began to create more of an awareness of election cybersecurity, and the goal now is to keep that momentum going. To that end, we are encouraging our partners at the state and local level to continue to train their staffs in cybersecurity best practices and develop strong incident response communication plans,” explained Mook and Dugas.
Mook and Douglas said that it’s important for state and local elections officials to focus on cybersecurity basics and those basics should not be underestimated.
“We include our top 10 recommendations in our State and Local Election Cybersecurity Playbook, they explained. “However, as more is happening around elections on social media platforms, having an incident response communications plan in place is also a critical component of security.”
“…[I]n the wake of 2018 I am a bit worried that because there were no serious attacks that people might become complacent or not consider it an urgent area on which we need to seek continuous improvement,” said Joseph Lorenzo Hall, chief technologist at CDT.
Hall said it’s important to remember that just like in finance, “past performance is no indication of future results.”
“Election security is going to require continual improvement because we’ll never know when we’re a juicy target for someone, and the attack methods those malicious attackers use will only improve over time, so must we,” Hall said.
To that end, he had some recommendations for what state and local officials should spend their time doing over the coming months. He said it’s not that much different than before 2018: two-factor authentication, good password/credential management, and DDOS attack protection.
“In the longer term, it’s going to be important to move to systems that cannot run malware (e.g., Chromebooks for staff) and moving election information systems to regional or county data centers where concentrating the security needs of a number of local entities can help them leverage their capacity to better focus the limited resources they do have for cybersecurity,” Hall said.
Hall also said that it will be important for election officials to demand support in precinct-based voting systems for risk-limiting audits.
As for things outside the voting system, Hall said security experts and elections officials will have to start cultivating a culture of security across the election ecosystem.
“Just as certain kinds of election staff can specialize in larger jurisdictions, we will need to have election officials understand that they will need to have good security expertise on staff or they will need to be able to think through these issues themselves and make decisions that can protect them given their level of operations.”
For example, he said, it makes much more sense for a small jurisdiction to use office suites like Microsoft Office 365 and Google’s GSuite then to try and run their own office software that they would have to update, etc.
“We’ll want to have a sense of what it looks like to be a mature election cybersecurity operation and various levels of capability. That requires larger jurisdictions having meetings of their election cybersecurity people and people like us in civil society and elsewhere being able to translate the learning happening there to the smaller jurisdictions,” Hall said.
In short, there is much to do. That said, while it’s certainly true that cyberthreats continue to proliferate, the growing level of attention in the field suggests election officials and policymakers are increasingly in a posture that allows them to confront these challenges head on. Thanks to Mindy and her interview subjects for sharing this outlook – it’s cause for optimism in a sometimes-scary world. Stay tuned …