Four Necessary Steps to Protect Election Infrastructure
Cyber criminals and hackers can create chaos in state and local
voting and election systems – from disqualifying voters to corrupting
data to launching denial-of-service attacks.
For example, last summer 12 Russians were indicted by the U.S.
Department of Justice for having tampered with the 2016 U.S.
elections, as well as stealing data on a half-million
Illinois voters from the state’s election board website.
And consider this – in a recent hackathon
event, an 11-year-old was able to hack into Florida’s voting
system within 10 minutes and change voting results.
Many government election commissions and agencies are not fully
prepared to deal with these threats, but it doesn’t have to be that way.
The Challenges
State and local governments face unique challenges in protecting the
integrity of elections. They must ensure that voting processes are
secure and accessible while also being fiscally responsible – and
often with limited IT staffing.
Also, agencies must find ways to counter cyber security threats that
target a multitude of systems, including electronic voting machines,
ballot counters, voter registration systems, websites, and election
management systems.
These were the obstacles facing the State
of Missouri. The state’s cyber security profile was limited,
with only four staffers and finite resources to keep up with
ever-evolving threats. However, after witnessing data breaches in
other state and local governments, officials in Missouri’s legislative
and executive branches decided to take action, and opted to deploy
FireEye security technologies.
Four Steps to Protect Infrastructure
There are some immediate actions that governmental IT leaders can
take to protect election integrity and reassure citizens that their
voting data is safe.
- Assess critical election infrastructure: Understand,
for example, the potential entry points by which attackers can
access voting systems, as well as the methods used to breach them.
Cross-departmental and agency communication helps ensure that all
the implications and threat possibilities have been considered. For
example, bring together election officials, IT staff, government
executives, emergency responders, and technology vendors for these
discussions. Doing so also helps create multiple layers of
protection. - Test existing plans: Just as schools carry out drills
to prepare for a fire or other hazardous event, so too should local
governments conduct tests of their election security plans. This
will help identify potential gaps and vulnerabilities. - Secure existing technology: Do devices and applications
used by government officials utilize multi-factor authentication and
encryption capabilities? Is critical, sensitive data backed up and
stored offsite, and does it have same level of security as primary
data? - Modernize election infrastructure: Find ways to
collaborate with technology vendors and public and private sector
peers about ways to protect systems. For example, healthcare and
financial services firms have critical data to secure. Consider how
cloud computing, automated patching and updates, and endpoint
security technology can cost-effectively provide multi-layered
protection, while reducing the burden on in-house IT staff.
Reach Out to Federal Partners
There are many opportunities for state and local governments to
obtain low or no cost support and resources. For example:
- Financial assistance is
available via the 2002 Help America
Vote Act; last year Congress allocated
$380 million to this fund “to enhance election technology and to
make election security improvements.” That includes purchasing
voting equipment, implementing audit systems, upgrading computer
systems, facilitating cyber security training for election
officials, implementing cyber security best practices, and funding
other cyber security-related activities. As of Sept. 30, 2018, only
8.3 percent, of the total amount allocated
had been spent by the states. For officials unsure how to access
these funds, the Election Assistance Commission and the private
sector – including FireEye – can help. - The Cybersecurity
and Infrastructure Security Agency (CISA) at the Department of
Homeland Security (DHS) provides no-cost services,
including: access to regional cyber security personnel who can
provide advice on preparing for and responding to cyber attacks;
cybersecurity assessments such as hygiene scans, risk and
vulnerability assessments, and cyber resilience reviews; cyber
threat hunting; access to threat information, including the DHS
Information Network portal; intrusion analysis after a cyber
incident; and cyber security training and professional development
opportunities. - DHS also maintains a robust resource
library for election security, featuring security checklists,
guides on attack mechanisms, and contact information for CISA
personnel. - Most recently, DHS issued a list of
election security best practices ranging from patch management to
blocking malicious traffic.
To better understand how the power of collaboration among government
agencies and the public sector can protect election and state and
local infrastructure integrity, check out this webcast about taking a
holistic approach to state and local cyber security.