Election Security: Detection and Response


One if by Land, Two if by Sea…Three if by Cyber?

What would’ve happened if on that fateful night of Paul Revere’s Ride no one saw the lanterns, or if the watchers completely missed the movement of the British troops? While our Nation’s federal and local officials balance providing insights on cyberthreat activities while assuring the voting public that elections are secure, there are warnings to observe. Director of National Intelligence Dan Coats has advised that, “The warning signs are there. The system is blinking.” He has also stated, “…the warning lights are blinking red again.”

During election officials’ preparations for the midterm elections, a key message has been to include cybersecurity in the efforts. Federal dollars have been allocated to the States for improving election security and many counties across the country have made use of the limited funds and limited time before the elections to do what they can. But with early voting starting soon and election day right around the corner, the time to proactively prepare has somewhat passed. Now is the time to focus on the more immediate need for detection and response, and the lanterns are lit to indicate that the adversary is on the move.

Sign Up to Receive Our Monthly Newsletter: Election Security In the News
Sign up here

There are two key aspects of detection and response to consider in this critical time of the election process. First, and potentially more obvious, is to make sure that the watchers have their eyes peeled for the most likely attacks:

  • Email Threats and Phishing Attacks
    A go-to method of attacks that are seen in nearly every attack is using email messages to lure users into giving up information and access. Make sure users are advised to use extreme caution when opening emails, and to avoid clicking links in emails as much as possible. Avoid Phishing Attacks by advising users to stop, step back, and consider what the email is asking of them, and to report suspicious emails.
  • Attacks Against Websites
    There is a ton of focus on protecting the machines used for voting, the voter registration and check in systems, as well as the tabulation systems. Make sure that you keep an eye out for attacks against other functions outside of the core elections functions like result-posting websites and websites that provide voters with courtesy election information. Also cautiously monitor  election night reporting interfaces. Good steps to consider are using dedicated computers that have been set aside for accessing the state’s election night reporting system and validating the web addresses of the sites prior to accessing them.
  • Social Media and Disinformation
    When attackers cannot change a single vote they will likely resort to creating confusion or dissension using social media accounts and disinformation. Make sure that you have limited access to official social media accounts and watch postings very carefully.  Additionally, try monitoring for hashtags and accounts that may try to mimic official sources to make sure that attackers aren’t spreading false information. Election day is a busy time, but watching for these indications will help make sure the public is informed with facts.
  • Malicious Software
    Be very wary of systems that behave suspiciously. While having antivirus installed on computers is a great practice, the malicious software that may spring up during the critical timeline of the elections may avoid detection by common antivirus systems and other protections. If you can closely monitor network traffic for suspicious communications, you may be able to catch something that the other tools miss. Proactively monitoring for these potential warning signs can be the difference between attempted attack and successful attack.

Anticipating common attacks is one critical aspect of detection and response. The second important aspect is being prepared to sound the alarm. While the keys above are helpful in the detection of attacks against your elections, there is also the critical function of lighting the lanterns. Attacks against the elections will occur on the front lines, in the counties and jurisdictions that administer the registration and voting. Waiting for the lanterns to be lit by someone else when you are the one seeing the movement of the attackers leaves everyone else vulnerable.

To make sure you are ready to ring the warning bells, keep key contact information on hand and be prepared to escalate threats. Important contacts to consider are:

  • Key County officials and support personnel
  • The Secretary of State team for your state
  • The Election Infrastructure Information Sharing and Analysis Center (EI-ISAC)
  • Contacts for your key election vendors
  • An expert cybersecurity firm that can assist in defending, protecting, and responding to attacks

All indications point to some malicious activity during our upcoming elections. Being prepared to detect and respond, conducting a test of your response process, and reaching out proactively to the entities above will be critical for preventing issues that could jeopardize the results or trust in the election process. Oil up the lanterns.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.