[Image via reddit]
Dominion Voting’s Kay Stimson has a fascinating new post at the IT-ISAC blog about “interesting times” and the role that private sector vendors play in the election cybersecurity effort:
As we approach the end of the year, I am reminded of my family’s standard New Year’s toast, “May you live in interesting times.” It would be hard to find a sector (subsector, technically) where this missive has more resonance than in elections. The run-up to the November 2018 midterms was most certainly filled with “interesting” developments. Fortunately, our relatively smooth election cycle was bolstered by virtual non-stop hardening of every facet of election infrastructure and a strong focus on the establishment of some initial sector information-sharing and coordination mechanisms. One of the most promising outcomes was the establishment of an Elections Industry Special Interest Group, or “EI-SIG,” for election industry providers within the IT-ISAC.
While this isn’t your standard futuristic outlook with bold predictions for 2019, here are three areas where EI-SIG industry commitment and collaboration can shape these important times we are in:
Learning from Coordinated Sharing
The burgeoning EI-SIG partnership has been fostered by dialogue between DHS and election industry operators and the voluntary sharing and analysis of threat data. In 2018, we learned how coordinated public-private information-sharing accelerated the rapid restoration of key infrastructure services and essential functions for election partners that were impacted by Hurricanes Olivia, Michael and Florence. It is worth remembering, Hurricane Michael struck Florida just weeks before the start of early voting in many counties.
Looking ahead, members will continue to work with each other, ISAC partners and the government to enhance voluntary sharing efforts, focusing on security in company culture, third-party risk and vulnerability reviews, peer-to-peer learning and incident response planning to ensure that election infrastructure remains safe and secure. New efforts will focus on the resilience of the democratic process against not only security threats, but also against misinformation and those looking to sow confusion or doubt about its integrity. This was the game-changer in 2016. Activities to identify, measure and mitigate threats to inform key stakeholders about the increasingly dynamic risk landscape will be important.
Planning for Major Attacks or Incidents
For 2019 and beyond, efforts must focus on strategically aligning government and private sector election security activities to foster unity of effort and develop achievable priorities for response. Beyond developing robust incident management plans with clear guidelines, we’ll need to institutionalize them within industry culture. This requires employee training and guidance on how best to work with our government partners to identify, report and respond to incidents (both physical and cyber). The IT-ISAC’s peer learning network of companies can serve as a force multiplier for this work.
Additionally, the EI-SIG provides a consensus-based industry perspective on operational and security matters that can help to fortify sector-wide planning. For example, a number of EI-SIG companies – including my own – use a command center model for Election Day that conforms with state and local functions. We can use these existing models to create and share smart practices within the sector.
Enhancing Cybersecurity Protections
While no major threats or widespread targeting of election infrastructure were reported in 2018, general cyber threats remain, including email spear-phishing and ransomware attacks. EI-SIG members are dedicating substantial resources to reinforcing cybersecurity hygiene awareness at all levels of the corporate structure. For example, through the EI-SIG, elections industry companies have full access to the threat information and analysis shared through the IT-ISAC. Providers are also adapting the voluntary NIST Cybersecurity Framework to their organizations to capture and communicate their cybersecurity posture and maturity levels.
Meanwhile, nearly all EI-SIG member companies are involved in working with the federal U.S. Election Assistance Commission on the newest version of the Voluntary Voting System Guidelines (VVSG 2.0), which will employ additional cybersecurity provisions for election technology at the development level. New and updated voting systems are being designed with resilience and auditability in mind, but there needs to be more discussion with regulators about how systems are updated and patched. Vendors are also proactively seeking ways to partner on risk management activities for product security.
To this end, the IT-ISAC is connecting EI-SIG members to valuable cross-sector information-sharing initiatives, such as Homeland Security’s new Supply Chain Security Task Force. The goal is to learn from sharing within the IT sector when it comes to adopting a trustworthy supply chain for election systems.
For better or worse, we are most certainly living in “interesting” times. The end of the 2018 election cycle signals more work and collaboration ahead. The commitment that election companies have made to the EI-SIG demonstrates that industry is voluntarily taking actions to identify, protect, detect, respond and recover from a physical or cybersecurity attack – or mere claims of hacking or fraud. Industry partners compete on many levels, but we all seek to help our customers promote public confidence in the resiliency of elections. Sharing intelligence creates opportunities to further enhance company security, as well as cut risk within the industry. EI-SIG members have a golden opportunity to shape the future by identifying effective incentives to facilitate national security efforts. This is the role of the new EI-SIG in the U.S. election infrastructure ecosystem.
With all the focus on the response by federal, state and local officials in the area of election security, it’s easy to forget the important – and central – role that the private sector plays in ensuring the resilience of the nation’s election system. Thanks to Kay for her piece; she as much as anyone understands what’s at stake, having spent several years previous to her work with Dominion with the National Association of Secretaries of State. We do indeed live in interesting times – and the only way to keep them interesting in only good ways is to communicate and work together. Look out for one another – and stay tuned …