We may feel that there is still time to prepare for the 2020 election, but cyberattackers are already actively seeking ways to undermine it. Election attacks typically start long before the actual election. Threat actors seek to infiltrate systems by stealing valuable login credentials through methods like phishing or purchasing stolen data in underground markets, among many other common and not-so-common tactics. Their motivations may be varied, from nation-states wanting to affect outcomes to activists who want to further a cause, and criminals who want to make a buck with ransomware. However, the havoc they cause results in one serious consequence, a lack of trust in our election system that threatens to undermine democracy.
Drawing from extensive experience in cybersecurity and elections, CyberDefenses has put together a thorough program designed to help election organizations strengthen their defenses against election attacks between now and the 2020 election.
The Protect 2020 Election Security Bundle combines assessments, Cyber Navigator guidance, security engineering support, 24X7 security monitoring and cyber intelligence insights into a program unlike any other available. As broad as it is deep, the program covers every aspect of the election process, not only the tabulation systems or voter machines. In most cases, cyberattackers seek to exploit any weakness they can find throughout the process, not just voting equipment.
Election Security Requires a Culture Transformation
For security efforts to be effective, security must be a mindset that infiltrates the entire culture of an election organization. That’s why the program is designed to do more than overlay security onto existing systems and processes. It helps election teams completely transform their culture, seamlessly and painlessly so that election security is simply built into the fabric of operations.
We’ve identified three key elements that help drive this cultural shift in election organizations:
- Election-specific Assessments
Understanding where things stand is critical to knowing how to make improvements. It can be daunting to actively seek and face your weaknesses, but it’s the only way to intelligently implement the security measures that will best protect your election.While there are many cybersecurity companies who regularly perform assessment for a wide range of businesses and organizations, finding one with specific election expertise can make all the difference between success and a devastating attack. Elections are distinctly unique. They involve many offices and departments at different levels of the government with varying degrees of security, complex teams of full-time and short-term volunteers, multiple locations that are not dedicated solely to the function of elections, and several steps in a sophisticated process that is both ongoing and seasonal.Understanding security vulnerabilities and knowing what to do about them requires in-depth knowledge about how each election organization works, how the teams are structured and even the physical spaces where each step of the election process occurs.A good assessment not only gives you insight into where you need to make improvements. It also gives you valuable information into the policies that should be implemented to meet relevant regulations and mandates. What’s more, an assessment can be a useful tool in prioritizing resources and driving crucial conversations with community leadership and stakeholders.
- Staff Education
No matter how secure your technology may be, you are only as secure as your most security-savvy staff member. That’s why team security training and education is such an important element of overall security. Yet, it is an aspect that can be easily overlooked, especially in election environments with a steady flow of volunteers coming in and out of the process.Find a security educator who has expansive cybersecurity knowledge as well as a thorough understanding of the election environment. It’s also a good idea to enlist the help of someone who knows how to navigate the complexities of educating a team in distributed environments. Getting everyone together in one room is sometimes difficult, so having opportunities for online training as well as in-person instruction is a solid way to roll-out education throughout the organization.Security training should also be multi-tiered. Make sure your team understands the overall threat landscape and the attacks that are most likely to happen as well as knowing the specific policies and procedures for your election environment. They should understand how to identify an attack and how to respond. Plus, your leadership teams should be trained on how to escalate incidents through IT and security departments in addition to how to communicate with the public and answer questions from the press.
- Ongoing Security Monitoring and Services
Having an assessment done, making corrective measures, and providing team security training are only part of a strong security program. The work doesn’t stop here because attackers never stop working to infiltrate elections. Just as technology is continuing to advance and change, threat actors are constantly evolving their attack methodologies. Security is a non-stop, continuously active initiative.
Make sure your security plan includes ongoing security monitoring efforts. 24X7 election security monitoring ensures that someone is always watching out for suspicious activity. That way attacks can be stopped quickly or even prevented altogether.
Plus, as your technology, teams and processes shift over the months and years, your security efforts will keep pace. You can avoid some of the most common mistakes that have led to high-profile breaches in the past such as outdated anti-virus software, new equipment that is left unprotected by a firewall, or a new attack method being successfully employed.
Making Election Security Possible
Election security is a large undertaking, but with the right support and an organized effort focused around transforming culture, it can become a seamless aspect of your daily operations instead of a daunting one-time project. The cybersecurity industry is full of advice on ways to secure infrastructures. It can be difficult to navigate the sheer volume and range of security tools, products and services. The Protect 2020 Election Security Bundle takes the guesswork and overwhelm out by providing election organizations with everything they need to secure elections and nothing they don’t.