Developing An Incident Response Plan for Elections

Developing an Incident Response Plan is a critical step in designing a strong cybersecurity program. In the event of an attack, a well-constructed plan can be the crucial difference between operating in reactive mode or taking a more proactive stance that thwarts the attack in its early phases and mitigates the potential damage. While it’s valuable for any organization, it is particularly meaningful for election departments focused on preparing for the 2020 election and defending the vote against cyberattack.

Creating an Incident Response Plan for election environments requires a distinct approach compared to plans developed for businesses. Elections involve multiple organizations across different locations and varying tiers of staff members and volunteers. Elections are also inherently time sensitive. A successful plan will accommodate this specific range of factors, and to go further, a good plan will account for the most plausible attack methods and how to handle them during an election.

Each organization should have a plan customized to its unique processes and environment. While no two plans will look alike, there are some common elements that form the basis of a sound Incident Response Plan.

1. Define which events require escalation and action

   Not all cybersecurity alerts indicate a serious threat. Have criteria in place that defines what warrants immediate, urgent action and decide an escalation path that defines who should be notified. Outline what to look for and how to contact the people who need to step in to handle the issue.

2. Determine your response for each likely attack type

   Consider each potential threat and map out a plan for addressing each. Many attacks require isolating the threat by quarantining devices and systems. Other attacks may require involving other teams and departments to orchestrate the right response. Plan concrete steps that can be clearly followed and consider responses both for an attack within your own network as well as how to handle an attack outside of your network that may have the potential to impact your environment through data sharing or other connectivity.

3. Decide how you would respond to ransomware demands

   The decision to comply with ransomware demands or not involves multiple stakeholders, often across several departments, which can take time to coordinate – time you don’t have during an attack. Have the tough conversations before you’re faced with the real-life decision so you can carefully weigh the consequences and come to a clear conclusion if the worst happens.

4. Have a communications plan in place

   Any cybersecurity incident involving public data or interests warrants disclosure, and this is particularly true with elections. Identify what organizations should be notified, including the media and law enforcement, and have specific contact information established beforehand.

Incident Response planning is well-worth the effort. Knowing that you are prepared to handle a cyberattack scenario helps teams avoid fear mongering and stay focused on running smooth elections.

For guidance on developing your Incident Response Plan, download the CyberDefenses Incident Response Plan Template.