This week, leaders of the intelligence community testified in front of the Senate Intelligence Committee regarding worldwide threats against the United States. From the very beginning of the hearing, all were clear and unambiguous about the real and sophisticated threats against our nation’s election system. These threats include disinformation campaigns via social media and other outlets, and cyber threats against our election infrastructure.
Since the end of the 2016 election, the EAC has worked with DHS, FBI, NIST, NASS, NASED, NGA, Election Center and iGo, as well as private sector entities such as Harvard’s Belfer Center, the Center for Internet Security (CIS), The Center for Democracy and Technology (CDT), Google, CloudFlare and others. The purpose of these partnerships: to improve awareness among the nation’s election officials about the nature of this threat and increase the overall resilience of the election process.
As I have traveled the country and shared resources to improve the ability of election systems to prevent, detect and recover from attack, I have tried to end each session with some tangible take-home thoughts for election officials:
1. Ensure that all aspects of voting system (VS, EMS, Ballot Creation, etc.) are not connected to internet and maintain clean media.
Review processes and procedures for things such as election night reporting and ballot building. Utilize clean media from a trusted source. If a vendor performs these tasks for you, educate yourself about the security protections they have in place and hold them accountable.
2. Audit your systems, data, processes & procedures.
This new threat environment means a new opportunity to review and improve existing processes and procedures with an eye towards cybersecurity. A full review and update of things such as pre-election testing, post-election auditing, chain-of-custody, access controls, physical security policies and procedures can result not only in improved security, but greater efficiency. For instance, pre-election testing procedures should include not just testing the voting systems, but also e-poll books, ballot on demand printers and election night reporting systems.
This kind of review and improvement comes naturally to election officials as they are constantly improving based on lessons learned from prior elections. The goal here is to apply that same critical eye to your operation with an informed view of the threats against your systems and processes.
3. Assess your data risks & secure systems appropriately.
Conduct a full inventory of your systems and data. Then, assess your systems’ vulnerabilities and take steps to protect against threats that may arise. There are numerous resources to help assess and secure your data systems, including checklists from EAC, the Election Center and information from DHS. Remember, it’s not enough to just protect the data, you must also regularly back up the data and test your backups to make sure it is available and functional in the case of an incident.
4. Develop an incident response & recovery plan.
The single most important thing election officials can be doing right now is preparing comprehensive cyber incident response plans. The reality is that most, if not all, election offices are going to be impacted by a cyber incident either directly or indirectly (i.e. a vendor or fellow county official has an incident). However, most election officials have already done a lot of work to prepare because of the extensive contingency planning most election offices do. The EAC has an incident response checklist available to help you get started.
5. Take advantage of all available resources.
Protecting your systems against advanced sophisticated threats cannot be done alone. The good news is that because of all the attention that has been paid to election systems since 2016, there are a number of resources available that we never had before:
- EAC Resources
- DHS Resources
- NIST Resources
- Multistate Information Sharing and Analysis Center (MS-ISAC)
- Harvard Belfer Center’s Defending Digital Democracy Playbooks
- Center for Internet Security (CIS) Election Security Playbook
- Google Project Shield
- CloudFlare’s Athenian Project
In addition, there are state and local resources being made available to election offices. For instance, in Iowa, state and county IT officials are working collaboratively to provide training and onsite support for county election officials. If you haven’t already, make contact with your county IT director and state election offices to see what resources are available. You may be surprised at what you find as you build these partnerships.
As the election community works to confront emerging threats, the EAC stands ready to provide resources and support to state and local election officials who are on the front lines of defense. Voters want and expect a coordinated whole-of-nation response to these threats against our democracy so they can head to the polls (or ballot drop box) with confidence.