Election Security Assessments Help Establish a Statewide Security Baseline


Uniform practices and baseline measurements are essential for elections security, and the upcoming Presidential Election will arguably be the most closely watched and highly scrutinized election in our nation’s history. Local elections offices across the country are being told to practice good cyber hygiene and consume endless amounts of best practices and generic guidelines, but the “one size fits all” approach does not fit all when it comes to local elections offices.

State elections officials are well aware that it is very difficult to promote uniform practices without legislation or rules in place, so implementing a program for Election Security Assessments (ESAs) on a statewide basis is an effective way to measure the baseline cyber maturity of local election offices and provide specific feedback and best practices tailored to each jurisdiction while aggregating data to compile uniform standards and procedures for incident response and continuity of operations.

Election Administrators Need Help

Elections consist of multiple moving parts and involve many people with a variety of skillsets. Many elections offices do not possess the skills to fend off hackers, let alone nation-states. Many local elections offices rely on other entities to manage their cybersecurity, whether it’s county IT or a third-party vendor or even the state to provide guidelines and resources. This often results in an inconsistent and unmanageable situation where no one is ultimately responsible when a problem occurs.

Added to that complexity is the fact that attackers are consistently changing their attack methods. Viruses, ransomware, phishing attacks and other types of cyber threats are always evolving, so the methods that worked last year are no longer valid – so elections security is a moving target and needs to be managed by a consistent approach to security through routine checkups and a goal to graduate up on the cyber maturity scale.

Trust that elections are conducted accurately is paramount for voters and when local election officials are able to demonstrate that they have a plan for continuous security assessment and remediation along with any other preventative measures that need to be implemented, voters will be confident that their vote is secure and that they can rely on their local election officials to conduct fair elections and trust the resulting outcome.

Uniform Practices Enable Baseline Measurement

An effective cybersecurity plan factors in the immense number of variables associated with protecting elections begins with a thorough security assessment. It is a concrete first step that builds a solid foundation for a good security program that is focused on defending the right attack areas and dedicated to the best use of resources. With an organized approach to cybersecurity, states can promote uniformity with the local election officials by offering ESAs as a service to get baseline measurements and provide useful insights and tips to improve upon and evolve traditional procedures to meet modern challenges.

With a baseline status of each county or local election office, states can craft a plan to bring all elections offices to a single baseline to begin the long-term goal of reaching the highest level of cyber maturity potential. The local election office gains the benefit of the service provided by the state and the state gains the information needed to craft cybersecurity policies that can be implemented across all local elections offices without exception. Additionally, the identification of common issues will allow the state to communicate those vulnerabilities generally to ensure participation from everyone.

What is an Election Security Assessment (ESA)?

An ESA begins with a discovery call where a cybersecurity team member will explain what the process entails and listen to concerns and special considerations. If approvals are required from the county commissioner or other stakeholders, the cybersecurity team can help navigate the process. In some cases, a security representative can attend approval meetings to answer questions and share detailed information about the assessment.

Once approvals are obtained, there is a kick-off meeting to discuss dates and who needs to be involved in the process. The cybersecurity team will then schedule an on-site assessment visit. During that visit, the team will spend time with different members of your staff gathering the information and making observations. The team will also review your technology infrastructure, including both physical and digital access to your network and data. You can expect these on-site visits to take several days depending upon the size of the county and the elections operation.

After the visit, the team will review the data collected on-site and conduct cyber intelligence research to find any instances of data or chatter on the Darknet. They will also research other potential threats that could affect your election.

Several weeks later, the team will come back to you with a report that details their findings. The report will cover any existing threats that need to be addressed immediately and will identify threats and include detailed and prioritized recommendations from a Chief Information Security Officer that outlines how to address the threats.

An Election Security Assessment is a strong starting point for identifying the cyber maturity of an elections office and for the state to be able to baseline the average across all the local elections offices. With that information, the state can produce uniform guidelines for threat remediation and a plan to constantly reassess the maturity of each local election office and respond to vulnerabilities with a consistent approach that reflects the state’s laws, procedures and practices.

To learn more download our Guide to Election Security.

About the author

Michael Greenman

Michael Greenman is the Director of the State & Local Government Practice at CyberDefenses, where he leads the effort for growing CyberDefenses' client base and communicating with state and local officials in the public sector, while also providing support and assistance to the vulnerability risk assessment and cyber maturity evolution programs. Prior to his employment with CyberDefenses, Michael spent over 16 years in the public sector as a practitioner and a partner vendor in the elections and voting systems market with a variety of roles and responsibilities. Michael earned Master’s Degrees in Cybersecurity and Public Administration from the University of South Florida and is a member of the Election Center.