[Image via duetsblog]

Mindy Moretti has a great piece in this week’s electionlineWeekly about two valuable new resources available to election officials looking to wrap their heads – and perhaps some federal funds? – around election cybersecurity:

While states and localities are awaiting their share of the $380 million allotted by Congress to upgrade elections cybersecurity, there are two, totally free, ways that they can start beefing up their security now.

The Center for Internet Security (CIS), a nonprofit that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats recently released A Handbook for Elections Infrastructure Security and also launched the Elections Infrastructure Sharing and Analysis Center (EI-ISAC).

A Handbook for Elections Infrastructure Security is designed to help elections officials and their technical support teams defend the systems and networks used to conduct elections.

“We had two fundamental goals with the handbook: 1) to provide technical recommendations that are practical and actionable for elections officials and 2) to help bridge the communications gap between the technical and non-technical folks that need to work together to secure elections,” explained Dr. Mike Garcia, who has held positions at DHS and NIST and was the chief author of the handbook. “While the best practices include some technical language, the document as a whole is intentionally written to be understood by a non-technical audience.” 

A Handbook for Elections Infrastructure Security:

  • Includes details on 88 best practices
  • Identifies high and medium priority for those best practices
  • Addresses the different ways aspects of elections systems are connected to each other and the internet
  • Addresses auditing, incident response planning and response, and contracting for services

According to CIS, the handbook reflects the reality that the most significant risks to voting infrastructure affect those components with network connections. Examples include many voting registration systems and election night reporting systems, both of which may carry substantial cybersecurity risks.

While these types of attacks can cause disruptions and undermine public confidence, they are similar to those in other sectors with networked systems where well-known mitigations exist.

The handbook is closely tied to the CIS Controls, which undergo regular revisions. So CIS will update the handbook if it’s warranted by changing conditions and periodically to keep references to the CIS controls tied to the latest version. 

“But it’s important to emphasize that the handbook won’t be out of date any time soon,” Garcia said. “The approaches to manage risks will continue to mature and occasionally new risks emerge, but identified best practices don’t really stop being good to do. So implementing a given best practice won’t all of a sudden become a bad idea.”

In addition to the handbook and signing up for EI-ISAC (more info below), Garcia recommended the U.S. Election Assistance Commission’s cybersecurity training for non-IT folks and noted that CIS is always happy to talk people through the most important things they need to know. He added that one of the best ways an election officials can learn highly applicable information is to have an assessment of their systems. Either a self-assessment or one conducted by an independent party.

“We know elections officials have been hard at work securing their systems and managing all kinds of risks,” Garcia said. “We believe that a risk-based approach is the only way to manage in an evolving environment and get the results we all want to see.”

Elections Infrastructure Sharing and Analysis Center
CIS has long been home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), starting this spring is also home to an information sharing center just for elections. The EI-ISAC, which is available to any state/local/county elections official to participate in, will provide early warnings of cyber system threats, security vulnerability and training opportunities.

“The MS-ISAC does very important work, but it’s spread across many areas of need. By creating a specific unit to address the needs of election security, the EI-ISAC can provide more targeted and timely information to election officials,” explained Judd Choate, director of elections for the state of Colorado, immediate past-president of NASED and the first NASED representative to the Executive Committee of the DHS Government Coordinating Council (GCC).

“Further, for those election officials or IT professionals in states and localities around the country that have been less engaged in the national security conversation, the addition of a specific unit dedicated to elections cyber security will clarify who to contact and its importance to the daily work of cyber security,” Choate said.

When the Department of Homeland Security designated elections critical infrastructure, NASED volunteered to help in any way possible, including participating on the GCC, serving as guinea pigs for the new EI-ISAC, and engaging with outside groups like Harvard’s Belfer Center and the MIT Election Data and Science Lab. As for the actual decision to create an election infrastructure ISAC, NASED had seven of the 27 representatives on the GCC when it voted to create the EI-ISAC in February.  Each of those members supported its creation.  

Although NASED has been leading the charge on the EI-ISAC, Choate encouraged all elections officials to sign up.

“The EI-ISAC isn’t just a good tool for election officials, it’s an absolute necessity,” Choate said. “My office has advised all Colorado counties to join the EI-ISAC. Nearly 50 percent of our counties have done so. I know other states represented on the EI-ISAC Advisory Board are doing the same. Not only do you get the IT security alerts in real time, you also get access to a wide array of specialized intrusion prevention and monitoring.  If you are reading this and wondering if you should sign up for the EI-ISAC, the answer is ‘yes.’”

Choate noted that protecting voter registration databases from remote intrusion, which is the main function of the EI-ISAC is only the first step. He said all election officials should be thinking about the vulnerability of their election systems:

  1. Am I protecting my voter registration database, including web application firewalls, multi-factor authentication, and database logs to track usage and changes?
  2.  Am I prepared for a denial of service attack – on election day or any other day?
  3. When I send the personally identifying information (PII) of my voters, am I properly protecting that information against exposure?
  4. Are all my counties properly protecting the voter registration database through password protocols and a workable security plan?
  5. Am I providing software for my counties to help them protect against malware, ransomware, etc.?  
  6. Do I need to audit my county or employee security protocols to make sure they are doing what they say they are doing?
  7. Should I purchase software to improve emergency communications with election officials – just in case?
  8. Are my local jurisdictions reusing removable media (thumb drives), which exposes those systems to malware? 
  9. Should I purchase encrypted thumb drives for my counties that can be reset after each usage, so malware isn’t transferred to my voting system.
  10. Have I created a specific training for my counties that helps them understand cyber security vulnerabilities and protect against them?  
  11. Am I considering conducting a table top exercise for my state like the one Harvard’s Belfer Center rolled out last week?  
  12. Does my voting system vendor have appropriate security protocols and partners with me to monitor their security?

“And this is only the visible part of the iceberg,” Choate said. “Schedule a meeting – in fact, schedule a reoccurring meeting – with your IT team to go over every potential vulnerability in your election office, system, and processes. Don’t be the weak link.”

One of the things I’ve been most pleased to see in recent months is the recognition by the election community that, even though more financial resources are crucial to election security (and now forthcoming!), there are low-cost to free activities that election officials can do quickly if not immediately to shore up their defense. Thanks to Mindy for sharing these resources with the field – and kudos to CIS for making them available in such a timely manner.

Batten the hatches … and stay tuned!