New York is dedicating 100 percent of its 2018 Help America Vote Act (HAVA) Funds to enhance cybersecurity in its election process. As part of this commitment to cybersecurity, the New York State Board of Elections developed a cybersecurity plan in May 2018 to further strengthen cyber protections for New York's elections infrastructure. The plan, dubbed ARMOR has four elements:
Assess the risk to State and County Elections Systems;
Remediate the vulnerabilities;
Monitor ongoing Operations; and
Respond to incidents.
“ARMOR is a uniform plan to increase the cybersecurity posture of our elections infrastructure,” says Robert Brehm, Co-Executive Director of the New York State Board of Elections (NYSBOE). “Uniformity and consistency are important components. The State Board of Elections will leverage the state’s purchasing power to procure web -based cyber-hygiene training, risk assessments, enhanced intrusion detection solutions, mitigation, monitoring and response for all of our county election systems.”
In implementing ARMOR, the state has invested time and resources into tabletop exercises, designed to test the readiness of election officials for cyber incidents and protect the integrity and security of New York’s elections. The scenarios were based on a combination of real world events and potential risks facing New York’s election infrastructure. This included possible social media manipulation, disruption of voter registration information systems and processes, voting machines, and the exploitation of board of elections business networks.
“By playing out hypothetical cyber events that could impact the state’s ability to administer the elections, we are able to identify additional mitigation strategies, and enhance collaboration between our stakeholders,” says Brehm.
New York has conducted the first of the nation, six tabletop exercises in concert with the Department of Homeland Security (DHS) and participated in three federal tabletop exercises. County Boards of Elections officials and Information Technology professionals from all 62 counties attended these exercises. There were more than 300 participants across all six tabletop exercises.
“We also opened it up to the county executives so they understand what we are asking their employees to do,” says Brehm. By broadening the audience for these activities, New York has been able to collaborate with and learn from people outside the Board of Elections. Partnering with federal, state, local governments and associations, as well as, academia has been an integral part of our planning process and the backbone of many programs.
“These exercises were vital to our launch of the Secure Elections Center and in raising cybersecurity awareness among county boards of elections, county IT and others along the way,” says Brehm. “SEC is charged with reviewing and evaluating all election security policies and regulations and ensuring continuity of election administration and operations.”
One outcome of the tabletop exercises was feedback that counties would benefit from a uniform, cyber-hygiene training program. As such, NYSBOE procured and implemented a web-based cybersecurity training. The training will be part of the board’s curriculum through the next presidential election.
In addition to the extensive training conducted for staff across all counties, the NYSBOE is working with DHS to conduct a comprehensive risk and vulnerability assessment on its election infrastructure. The results will be provided to the state in a risk analysis report with strategic remediation recommendations. NYSBOE has procured a vendor to perform risk assessments of all the County Boards of Elections. The Board is also offering enhanced intrusion detection solutions to all County Boards of Elections. The board has also developed an incident response plan that outlines roles for staff in responding the cyber incidents; technology to coordinate and track response and procedures for incident identification, containment, eradication, recovery and a post response assessment.
Brehm says New York voters can feel assured that the state has taken all necessary steps to ensure a secure election process. He notes that New York prohibits any connections to the Internet with its voting equipment. New York State also requires certification and testing of all software and hardware for voting equipment before it can be purchased by the counties. Other security measures include a random audit of three percent of the voting machines used in each county after each election. New York is one of the few states that prohibits the county boards of elections from contracting with outside vendors to program voting machines for elections. In addition, access to the voter registration database is highly restricted and no live data is made available over the Internet; back-ups are frequently made and tested; and data is audited for anomalies.
With all these safeguards in place, all New Yorkers have to do is register and vote! Visit www.elections.ny.gov to find out all you need to vote this November.