A recent edition of Electionline featured a story about cyber navigator programs, cooperative ventures under which state election officials in the US employ election technology professionals to provide practical cybersecurity knowledge and support their jurisdiction. CISA‘s Election Infrastructure Subsector Government Coordinating Council recommends that US states spend portions of their HAVA funding on election security personnel including navigators. Unfortunately, less than 12 states have such programs according to the article. This is something that we’d like to see expanded. The election environment is dynamic and everchanging, and the fact is that local election officials typically can’t do it all by themselves. Nor should they be expected to.
Some jurisdictions are lucky enough to have budget to hire new employees dedicated specifically for cybersecurity, but most in America aren’t. There are, however, other channels for cyber support. In some regions, National Guard personnel can help provide this service. Jurisdictions can also look to university faculty for consults. In the same realm, college students and grad students are often quite good with new technologies. On the other end of the spectrum, some retired professionals like to continue to be active in the field and are open to freelance opportunities.
But perhaps your best option is your election technology provider. They are a reliable and knowledgeable source for cybersecurity counseling. Their experience with dedicated election systems, including your own specific system, makes them more valuable than a generic security analyst. Don’t hesitate to ask your provider for help.
For more great articles, subscribe to the Election Insight newsletter. It’s free.
With or without outside support, election officials and administrators can help protect their infrastructure by taking a holistic approach to cybersecurity and being proactive throughout the year – not just when an election is approaching or underway. The good news is that small and relatively simple steps will make a big impact.
- Review employee network credentials and use Multi-Factor Authentication: This should be an obvious step, but it’s very commonly overlooked. The best time to do this review is yesterday, and the next best is immediately after every election event is closed out. Why? Because many jurisdictions hire contractors, and other forms of temporary staff to help with the crush of the election event. Post-election is also the time to review the list of terminated or departed employees. All these credentials should be purged after each event.
- Review passwords and system roles: Many jurisdictions move existing employees into new temporary positions or provide extended access to certain staff just for elections. Review permissions and roles and reset them to appropriate levels. Once that’s done change passwords to keep those folks out of network areas where they’re no longer required.
- Website lookups and registration portals: Guarding your voter registration website against attack is difficult. These systems are typically available to the Internet 7 x 24 x 365, making reconnaissance easier to perform. Frameworks from OWASP and the Center for Internet Security are well established. Internal IT, cyber navigators and other experts should be called in to assist with securing these external facing sites.
On a more holistic level, it’s important to periodically look outside of these election-related areas to operational functions, which in cyber terms can be notoriously porous. When was the last time passwords were changed? Have the latest patches been applied? Is the physical security for server rooms and telecom hubs up to date? Threats evolve; are training materials relevant and up to date? Have disaster recovery plans been tested recently, particularly the ability to restore information from backups?
- Site connections: Review the security of the digital infrastructure for all offices, warehouses and remote sites, including polling centers. Also review the physical security of election infrastructure.
- Supply chain security and online ordering: Recognize that attackers may seek to compromise a company in your supply chain, then use that as a lever to intrude on your network. Set meetings with all key vendors to review their security processes. Ask if there are opportunities to partner on security efforts. This article provides a good overview.
- Email security: Phishing is still the number one hack in the cyber universe. Work with internal IT personnel to make sure email systems are updated and employees are reminded (again) about anti-phishing best practices. Expert developed anti-phishing staff training is widely available on the internet.
Firewall rules access control lists: Performing log analysis to see who is checking your virtual gate locks, then updating firewall access control lists is a technical challenge but essential. Like security in general, it is an ever-evolving aspect of the threat landscape. As with other technical security controls, hiring a service, gathering experts to help, engaging with your vendor base – all of these are good steps to ensure your network security is solid and remains that way.
Cybersecurity can sometimes feel like bailing a leaking boat with a teaspoon. It may be exhausting, and stopping might seem appealing, but the ultimate outcome won’t be good. Cyber navigators are a great way to steer through an ocean of security threats. With or without a navigator, a proactive and holistic approach to cybersecurity is essential to stay afloat. These tips and techniques won’t eliminate the threat of sinking – nothing will – but they’re more like bailing with a bucket and not a teaspoon.