Expanding Your Election Security Knowledge

Photo by Helloquence on Unsplash

Election security is more than understanding the technology, which on its own can be complex and at times confusing; it also includes understanding how to do things securely at every step of the election process. Many of the concerns during the Midterm Elections were amplified by the atmosphere of uncertainty around potential threats, confusion over how secure our election processes and systems are and unknowns concerning potential ramifications of successful attacks. Finding clarity will go a long way in making our elections more secure, and gaining that clarity involves a focused learning effort, not only for you, but for your entire team.

Knowing what needs to be done requires that you know where you are. That’s why the first step to becoming security savvy is understanding the strength of your security efforts as well as where there may be weaknesses. Conducting a thorough security assessment is a great way to remove uncertainty and remove speculation in your elections processes. A security assessment is also a critical part of determining the starting point for strengthening your security and ensuring you and your team are prepared to defend against potential attacks.

While most security companies provide assessment services across industries and types of organizations, election security requires a specialized approach. An election security assessment should address the many ways elections can be compromised – methods that are often different than the ways in which businesses are compromised.

An effective election security assessment should include these key elements:

1. Know your full environment with everyone and everything in it
You can’t assess what you don’t know. That’s why it’s important to gain a complete view into the people, equipment, files and other items that exist across all locations in your election ecosystem. An assessment should include personnel mapping, capturing all employees and volunteers and how they are related to election functions and the flow of data. Capturing a complete inventory of all technology, including computers, servers, scan devices and DREs is also important. Additionally, be sure that your assessment covers how data is physically stored, such as paper ballot and filing systems.

2. Discover any threats outside of your environment
The reality is valuable data and personnel login credentials may already be compromised. Conducting a Darknet scan to identify information that may already be in nefarious hands is crucial. This step will indicate where and how you need to act immediately. Another important aspect of this step is using threat hunting and threat intelligence to identify potential threat actors that could pose a high risk to your election. This information will help you proactively shape your security plan.

3. Review your entire process
A thorough assessment should also include an in-depth review of your entire process. Evaluate each step and aspect of your voting system, from how you use and maintain your Election Management System to the moment your vote tallies are published.

    • Election Management Systems
    • Voter Registration
    • Voter Check-In
    • Ballot Creation
    • Vote Tabulation
    • Election Results Reporting and Publishing

4. Review all security policies and procedures
New security threats are constantly challenging elections making a regular review of your existing security policies and procedures a necessity. A good way to assess your overall security is to evaluate your policies against current attack methods as well as new technologies. If you don’t have security policies in place, an assessment is a great time to set the goal of establishing them.

5. Benchmark your staff’s knowledge of good security practices

Security vulnerabilities aren’t only found in technology. They can also be found in simple human error or through a lack of understanding proper security policies and procedures. A good assessment will include gaining clear insight into what your staff knows about keeping the election process secure.

6. Ensure that election officials and staff are security savvy
Conducting Election Security Exercises could mean the difference between successfully diminishing the damage of an attack and facing a crisis that spirals out of control. Exercises can help ensure that your team is armed with information about how to respond to attack or potential attack according to their specific roles and responsibilities. Your security assessment is a strong jumping off point for coordinating exercises that address your exact security vulnerabilities, the hacking methods you’re most like to encounter and customized ways to mitigate the risks. These recommendations will enable significant improvements so that election officials and staff can be confident that they are ready to match up to threats.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.