CIS Publishes Handbook to Help Secure U.S. Elections Infrastructure

March 15, 2018

East Greenbush, NY

Collaborative Group Led by CIS Addresses Infrastructure Needs to Complement Other Elections Security Activities

East Greenbush, NY, March 15, 2018 – At a launch event held today at the University of Maryland’s School of Public Policy, non-profit CIS® (Center for Internet Security, Inc.) ­– in collaboration with federal agencies, state and local officials, vendors, academia, and other nonprofit organizations – announced the publication of A Handbook for Elections Infrastructure Security, to help elections officials and their technical support teams defend the systems and networks vital to our functioning democracy.

“The elections officials’ work to date has yielded a great deal of success protecting elections, but as threats evolve, continuous efforts are needed to make elections systems even more secure,” said John Gilligan, CIS’ Executive Chairman. “CIS’ new handbook details best practices that are proven to lower risk for IT systems. In most cases, elections systems will have already implemented many of these best practices. Also, the handbook will permit officials to identify and prioritize future work as well as to effectively allocate scarce resources,” he added.

Numerous distinguished elections officials were in attendance at the UMD event, including Connie Lawson, President of the National Association of Secretaries of State, and Indiana Secretary of State; Robert Kolasky, Department of Homeland Security’s Acting Deputy Under Secretary for the National Protection and Programs Directorate; Amy Cohen, Executive Director, National Association of State Elections Directors; Matt Masterson, Commissioner, U.S. Elections Assistance Commission; Thomas Connolly, Dir. of Election Operations, New York State Board of Elections; and Dr. Robert C. Orr, Dean, University of Maryland School of Public Policy.

About the Handbook

Presenting at the launch event was Dr. Mike Garcia, who has held positions at DHS and NIST and was the primary author on A Handbook for Elections Infrastructure Security, who adds, “The elections community has been working for decades to protect elections, but more recent cybersecurity threats present challenges. This handbook provides a bridge between non-technical and technical information to help organizations prioritize efforts and maximize the impact of investments.”

CIS’ A Handbook for Elections Infrastructure Security has benefitted from extensive advice and numerous best practice examples from elections directors as well as state and local government technical experts.

A Handbook for Elections Infrastructure Security:

  • Includes details on 88 best practices
  • Identifies high and medium priority for those best practices
  • Addresses the different ways aspects of elections systems are connected to each other and the internet
  • Addresses auditing, incident response planning and response, and contracting for services

Key Findings

In writing and developing this handbook, CIS verified that many elections organizations are highly focused on improving their infrastructure security and have a better security posture than commonly reflected in today’s media reporting. While these organizations work to protect the whole of the elections process, there has been a substantial focus on voting systems – the actual vote capture or vote aggregation systems – and less on networked components like voter registration and election night reporting. All efforts to protect elections systems are extremely important, but CIS and its collaborators saw value in address the full set of risks impacting elections infrastructure in a holistic way.

The handbook reflects the reality that the most significant risks to voting infrastructure affect those components with network connections. Examples include many voting registration systems and election night reporting systems, both of which may carry substantial cybersecurity risks. These attacks can cause disruptions in the elections process and lead to a loss of public confidence in the integrity of the voting process. On the other hand, these risks are similar to those in other sectors with networked systems, and well-known mitigations exist.

A Handbook for Elections Infrastructure Security directly addresses these risks and challenges with actionable guidance to improve the security of state and local elections infrastructures by providing a set of best practices and controls to lower risk for IT systems.

Announcement of the Elections Infrastructure ISAC

Robert Kolasky from DHS also used the University of Maryland event to announce the establishment of an Elections Infrastructure Information Sharing and Analysis Center (ISAC). ISACs help member organizations collect, analyze, and disseminate threat data and provide the tools, resources, and guidance to address or remediate those threats. CIS has been tasked by DHS with establishing the Elections Infrastructure ISAC building on its ten-plus year experience in operating the Multi-State Information Sharing and Analysis Center® (MS-ISAC®). The new Elections Infrastructure-ISAC will serve the over 8,800 U.S. state and local elections jurisdictions providing early warnings of cyber system threats, security vulnerability and incident information sharing, and remote security monitoring, as well as education and training opportunities. Adds Gilligan, Chairman of CIS, “The Elections Infrastructure ISAC will significantly improve communications with and among the elections community as well as enhance the cyber defense tools and capabilities available to protect elections systems.”