In recent weeks the federal and state governments have been pushing legislation forward in efforts to protect elections from cyberattack.
For instance, bill US HR1, For the People Act of 2019, passed in the United States House of Representatives in March and is now being considered by the Senate. The bill includes the Election Security Act that calls for more resources to protect elections from cyberattack among several other elements that deal with expanding voting access and strengthening ethics rules.
Maryland, California and many other states have also recently drafted similar bills for consideration. In Texas, the CyberDefenses team recently testified in support of bill HB1421 that is currently before committee. It stipulates that the Secretary of State will adopt rules that encourage cybersecurity best practices for all state elections. It also recommends security training for election teams.
These are crucial steps and significant wins. At the very least, the proposed laws raise awareness around the cybersecurity concerns that threaten the integrity of our elections. They are also a step forward in increasing the amount of available resources it will take the nation and local governments to defend election results against hacks, tampering and misinformation campaigns.
As we wait to learn which bills will pass and which will not in the coming months, the proposed legislation is raising a critically important question. It’s a question that we will need to address no matter which bills become law: What are the best ways to accomplish the recommended improvements?
Cybersecurity Requires More than the Right Technology
As we’re reminded of with each new attack method that hits the headlines, cybersecurity is not a simple, single-track endeavor.
This statement is particularly true for election security. The election process is dispersed among different levels of government and organizations. Plus, it’s coordinated across different groups of people, including volunteers. This complex structure presents multiple attack vectors that threat actors can exploit to disrupt the process and cast doubt on election results.
It can be easy to point to purchasing new tools and equipment as the best way to improve security. In some cases, investing in new equipment and technology, such as overhauling voting machines that have not been updated in many years or implementing a firewall where one does not exist, are correct first steps.
Yet, having the latest, most secure systems, machines and software is just the tip of the iceberg. Adequately securing elections requires the implementation of best practices across every aspect of the election process.
Good Election Security Combines the Right Tools with the Right Behaviors and Mindset
Securing an environment as complex and with stakes as high as elections, requires nothing short of a complete paradigm shift. While the proposed legislation currently in front of lawmakers recognizes this fact, there are limits to what can be accomplished by new laws alone. It is up to each of us, as voters, as election volunteers and as election officials and staff members, to act and implement cybersecurity best practices consistently.
Regardless of which bills become mandated laws, there are best practices that we can all follow to help defend elections against cyberattack:
- Know the Threats That Could Impact You Understand attacker motivations and the most common ways cyber criminals obtain login credentials and tamper with systems, networks and election results. Read up on what a phishing campaign looks like and what to do if you think you are being phished. Also, ask your team to define an escalation path if there isn’t one in place already that clearly outlines who you should notify if you recognize anything suspicious.
- Protect Your Passwords
- This can’t be emphasized enough. Don’t make it easy for attackers to find and steal your passwords and other login credentials. Use password managers and good common sense to create hard-to-guess passwords, get in the habit of regularly changing passwords and keeping them protected.
- Practice Good Physical Security Habits It’s true that cyber criminals are predominantly active in the digital realm, but in the case of elections, they also stage attacks by accessing and tampering with physical devices, like voting machines. There have been incidents that can be traced to credentials stolen from someone’s desk, not on the Internet. Make sure visitors are not allowed unsupervised access to areas that house servers, networks or voting equipment. Physical security is just as important to election security as digital security.
- Stay Informed and Communicate It is hard for the criminal element to thrive when we share our learnings and stay as informed as possible on their most recent attack methods. Subscribe to newsletters, add election security to your news feed alerts, and ask questions about what is being done in your community. If anything looks out of place or seems suspicious, bring it to someone’s attention. At no other time in history has it been more important than now to be an active participant in the democratic process.
No Matter How You Break It Down, Election Security Is a Complex Problem
Laws will only take us so far on the journey to effectively protecting our elections. The cybersecurity landscape is full of tools and different services. Plus, each voting location and election organization is unique. It’s impossible to prescribe a uniform solution across all election organizations. Legislation will help emphasize the importance of employing these resources to defend election integrity, but the real work rests with us regardless of the laws that are in place.
Security best practices will help if everyone is aware and follows them, but just as legislation is only part of the puzzle, these tips don’t comprise a full cybersecurity strategy. Election organizations will also need to draw from the advice and knowledge of cybersecurity and IT experts who understand the full scope of the threat landscape and are well-versed in stacking technologies, policies and practices into an ongoing program that can fully protect an election.