This post was written by Brian Engle, CISO and Director of Cybersecurity Advisory Services, CyberDefenses
Lawmakers Are Facing More Election Security Decisions — The Bills
In the wake of disturbing news about election tampering and hacks, lawmakers are focused on ensuring that elections are administered fairly and that votes are protected. The evidence is in the fact that more cybersecurity legislation is being introduced, and this recent increase in election security-related regulation is likely only the beginning.
One of the more prominent examples of this trend is bill US HR1, For the People Act of 2019 that passed in the United States House of Representatives in March. The purpose of the bill is to expand Americans’ access to the ballot box, reduce the influence of big money in politics and strengthen ethics rules for public servants. A notable inclusion in this bill is the Election Security Act.
This is only one of the bills currently being introduced on Capitol Hill aimed at securing the vote in a world where cyberattacks are an increasing threat. Bill S549 Voter Empowerment Act of 2019 and HR 1217 Ensuring American Voters Act of 2019, among others, are also part of current lawmaker discussions.
Proponents of strengthening election security are hard at work at the state level too. The state of California has put forth several election cybersecurity-related legislation in the past year such as AB2748 Election Infrastructure: Independent Security Assessments. Introduced in February 2018, the bill calls for the Office of Information Security in the Department of Technology, the Office of Emergency Services and the California Military Department to establish a pilot program to conduct or require security assessments of election infrastructure at the county level. The program includes gathering recommendations for mitigating system vulnerabilities so that counties can take the next steps in implementing improvements.
More recently, in August of 2018 California introduced bill AB3075 focused on creating an Office of Elections Cybersecurity within the Secretary of State’s office. The purpose of the legislation is to coordinate efforts between the Secretary of State and local election officials to reduce the likelihood and severity of cyber incidents that could impact the integrity of elections.
Maryland is another state introducing election security legislation. SB384 Election Law – Security and Reporting of a Breach put forth in February 2019 requires the State Board of Elections to adopt regulations that describe best practices for storage and security of voter registration information. Similarly, that same month in Texas, HB 1421 relating to the cybersecurity of voter registration lists and other election-related documents, systems and technology, was put before committee for consideration. It requires the Secretary of State to adopt rules and best practices for identifying and reducing risk to election systems. It also enables county election officers to receive training and information on improving security for the electronic storage and management of election data.
What You Can Do
Amid these legislative efforts is heated debate over who is ultimately responsible for the security of elections and how much control different levels of the government should have over local elections. No matter where we fall in this argument, the undeniable fact is that in our digital era, cybersecurity is a key part of conducting fair elections. There are important steps that we can all take to defend elections against cyber attackers even if these steps aren’t mandated by law.
- Security Awareness
Security Awareness comes in different forms for the different roles within elections. The more aware election staff members and voters are of the types of attacks occurring within elections the better we are all able to stop nefarious activity in its tracks. Election administrators and county leadership should learn about the various types of risks and how equipped their organizations are at detecting, evaluating, and countering these risks. County technology teams need to stay on top of the most common hacking methods and attacks and know how to determine if data has been compromised. Everyone needs to be acutely aware of their digital surroundings and how to watch for the types of things that might be used as disinformation to affect voters. For instance, a common misinformation method is copying an official website, posting it under a URL that closely resembles that of a legitimate site, and altering the information to mislead voters. Government entities need to take steps to ensure they are using the right configurations, and voters need to be able to be sure they are on the right website whenever it involves voting information. - Open Communication
Whether you are a voter or an election official, the more we freely exchange and share information back and forth, the more we create an environment that is not conducive to cyberattack. As a voter, ask questions of your election department. Seek to understand the entire process of vote collection, tally and reporting so you can identify something that doesn’t seem right. As an election official, make constituent communication a top priority, including notifying the community of possible issues as quickly as possible. Always communicate facts and look to multiple reputable sources; don’t jump to conclusions. Be skeptical, curious and cautious whenever you are hearing about topics concerning voting and elections. - Get Involved
Government of the people, by the people places responsibility in all our laps. Get involved in your community’s efforts to secure elections. Volunteer and participate in the election process. Observe the election processes in your own jurisdiction. Understand the proposed legislation your representatives are considering and let them know the pieces you support. Weigh in if you see something that needs to be improved or if you have ideas for ways to accomplish better election security.
What Election Officials Can Do
While the tips listed above can be followed by voters and election staff, there are key things that election teams can do to secure elections. Many election departments assume that election security begins and ends with servers, computers and voting equipment. It’s true that adequately securing technology is a critical part of securing elections, but the effort must include the entire election process and include these key activities.
- Election Security Assessments
Whether they are required by law in your state or not, conducting an election security assessment is an important first step in protecting your election against hacks or tampering. A thorough assessment that encompasses your entire process, not just technology, and that is conducted by a cybersecurity firm that understands elections can help you hone in on the exact areas that require repair or improvement. - Election Security Guidance
Many election departments don’t have the resources to hire a full-time Chief Information Security Officer (CISO); however, having the expertise of a CISO to guide your security improvement efforts is vitally important. Cybersecurity is not simple. Consider enlisting the help of a consultant who knows elections, is well-versed in the risks and focus areas for improving security, and who can give you a clear path to stronger security. - Incident Response Training
We touched on the importance of security awareness for both voters and staffers. Election team members need to go even deeper than understanding attack methods. They need to know how to quickly respond in the event of a breach, hack or vote tampering. Make sure your team knows how to identify an issue, how to escalate it to the right people who can act, and how to communicate the news to the public. Practice makes perfect, so consider doing tests of your response plans and set aside time to make improvements or changes based upon any new considerations.
Election security is a topic that we will be hearing about more, especially as the 2020 election draws closer. It can be tempting to think it’s someone else’s problem to solve, but in reality, it is an issue that we can all affect, not just legislators. It’s good to know that there are ways we can make a positive difference.
Brian Engle is the Chief Information Security Officer and Director of Advisory Services for CyberDefenses, a leading managed security services provider and an election security specialist. Visit CyberDefenses.com/elections to learn more about the work the company is doing to secure elections.