Part 1: Introduction
To enable the elections that define democracy, we must protect the security and reliability of elections infrastructure. Through a best practices approach, we aim to help organizations involved in elections better understand what to focus on, know how to prioritize and parse the enormous amount of guidance available on protecting information technology (IT) systems, and engage in additional collaboration to address common threats to this critical aspect of democracy.
The Center for Internet Security (CIS) and its partners publish this handbook as part of a comprehensive, nationwide approach to protect the democratic institution of voting. Election officials have been working diligently to secure their systems but, like so many other sectors, the threat to national security rises above any individual organization; we can accomplish more together, and we all share the same goal of free and fair elections. To that end, CIS is committed to a long-term effort to continuously advance and promote best practices for elections security as part of a national response to threats against elections infrastructure. This handbook addresses cybersecurity-related aspects of elections systems.
Background and purpose
Elections are the bedrock of democracy. Even before the establishment of the United States, adversaries sought to corrupt, interrupt, or otherwise disrupt democracy by subverting elections. From adversarial nation states, to terror groups, to Boss Tweed vote strikers, to those simply wishing to wreak havoc, attacks on the voting process are as old as voting itself. There is no way around it: protecting democracy calls for protecting elections.
The desire of some to disrupt elections has not changed; Joseph Harris’ 1934 seminal book on elections, Election Administration in the United States, enumerates a series of election fraud incidents throughout American history. What is different in recent years is some of the tactics of such efforts to undermine democracy. Attacks leveraging weaknesses in digital infrastructure now augment traditional approaches and have become an increasingly common approach.
Judging by activity in industries and sectors outside elections, this should come as no surprise. Organizations across all sectors and government entities alike face daily attacks from actors with widely varying levels of sophistication. The most capable, best protected organizations have specific plans for addressing evolving threats. The plans are never static; these entities continually adapt—as do their adversaries—requiring an ongoing investment in security.
Moreover, in many industries and sectors, the good guys have realized that a go-it-alone strategy isn’t enough. They’ve developed approaches that allow them to share information, establish best practices, and develop coordinated response plans to mitigate effects of coordinated attacks. This collaboration raises the level of security for the individual organizations, their respective industries or sectors, and the country.
Even in the financial services industry—in which annual investments by individual organizations in improved security for their digital systems can range in the many hundreds of millions of dollars—organizations pool some resources to support the Financial Services Information Sharing and Analysis Center. This collaborative approach to monitoring the evolving threat environment helps support even the most substantial individual efforts. These same approaches have been repeated in many industries, including communications, the defense industrial base, aviation, oil and gas, real estate, electricity, and others. Protecting elections infrastructure is certainly no less important to our country’s national security and overall well-being than protecting the infrastructures in these other vital sectors.
In the state and local sector, the Multi-State Information Sharing & Analysis Center (MS-ISAC) works with state and local entities to monitor threats to their systems, detect common attacks across states, and support mitigation of risks presented by vulnerabilities and changing attacker behavior. This results in a more rapid deployment of solutions when new threats emerge; if there’s one thing we know about these actors, once they succeed in an attack, they’ll duplicate it everywhere they can.
The parent organization of the MS-ISAC and sponsor of this handbook, CIS, has used collaboration among a large number of security experts as a means to identify best security practices. These collaborative processes have resulted in several products available to state and local governments and other entities, including election officials and their technical staff. These include the CIS Controls and CIS Benchmarks, which heavily inform the recommendations in this handbook.
An underlying reality to all current work in cybersecurity is that a skills gap exists for cybersecurity globally, across all industries—elections included. Closing this skills gap is critical to elections and securing the process. Implementing best practices is only possible with the right people who have the necessary skill-set. Therefore, we hope what follows in this handbook will serve individuals with differing skills and resources in implementing practical guidance for election administration.
The elections environment
Elections in the United States are highly decentralized with more than 8,000 jurisdictions across the country responsible for the administration of elections. While the federal government provides some laws and regulations, states have substantial discretion on the process of conducting elections. The federal government does not administer elections and has a limited role in dictating how the process is to be conducted.
States act as the primary authority for the laws and regulations that govern the process of conducting an election in that state. Under federal law, states must designate a chief state election official. This official typically sets rules and regulations for the implementation of election technologies and their use. Although states are heavily involved in setting the rules and policies for administering elections, and in choosing election technology, in most states local jurisdictions administer and conduct the processes of an election.
Many local jurisdictions have the ability to procure their own election technology from a set of certified or approved manufacturers and vendors designated by their respective state. Additionally, the local jurisdictions are typically responsible for inventorying, securing, and training staff on those technologies. Depending on the size and resources of the jurisdiction, the number and technical skills of the staff can vary greatly, ranging from an elections team with its own dedicated IT and security personnel to a single person with little to no IT background. Many elections offices rely on IT resources shared with other administrative functions (e.g., other county agencies) or rely exclusively on technology providers (e.g., elections and IT systems vendors) for implementing and securing their election infrastructure. This can result in dependencies that are outside of the local officials’ control.
By using this handbook, we hope election officials and those that manufacture, own, operate, or are otherwise involved with elections systems and their IT components are better able to understand and prioritize risks, understand best practices that can identify threats, detect attacks, allow for recovery from cybersecurity incidents, and, ultimately, continue to provide and support systems for the execution of free and fair elections.
In addition to this handbook providing a path to continually evolving security, perhaps the most important aspect of this effort is to help instill a continued sense of faith in elections by voters themselves. We hope election officials are able to use this handbook to highlight the past and ongoing work they’ve done to secure the elections process and that, through openness, transparency, inclusion of relevant stakeholders, and consideration of the entirety of the elections process, voters recognize that democracy is working and their votes will count.
More specifically, we hope this handbook is of use to each of the following:
- Election officials and senior executives. These individuals are accountable for executing elections. In addition to state and local election officials, they may include those indirectly involved in the election process, such as the offices of legislators and governors.
- Owners and operators of elections systems. These individuals have more responsibility for the systems themselves, though there may be some overlap with election officials. It’s critical that they understand the risk context and the technical guidance in this handbook.
- Vendors of hardware and software. Whether providing systems and services dedicated to elections or general purpose but used in elections, vendors are, and must remain, partners in this process. Moreover, vendors often provide the primary technology expertise and labor to local election officials. Vendors have a vested interest in their products and services, and election officials driving vendors toward best practices can help all boats to rise with the tide, including improvements in the development, testing, and continual evolution of vendors’ products.
- Others who can help secure elections. This includes the U.S. Election Assistance Commission (EAC), the U.S. Department of Homeland Security (DHS), state chief information officers and chief information security officers, state homeland security advisors, fusion centers, election integrity groups, academics, and other non-profits and private companies willing to lead or support various efforts. This is, in many ways, a baselining effort that we hope supports other efforts dedicated to improving the security of elections, both new and ongoing.
- Voters, the media, and other interested stakeholders. In the end, no stakeholder matters more than voters. Not only is it the duty of all to ensure elections represent the will of voters, but it is the duty of all to ensure that voters have confidence in the process before heading to the polls and after results come in.
Goals and outcomes
This handbook is about establishing a consistent, widely agreed-upon set of best practices for the security of systems infrastructure that supports elections. It provides both a general explanation of the threats that exist for the various components of the elections process and examples of known mitigations for these threats.
By developing and publishing this handbook, CIS aims to establish a baseline of protection for all aspects of the elections infrastructure ecosystem that leverage digital tools and applications. The primary goal of this handbook is to impact and improve the security of elections infrastructure as soon as possible, and ideally in advance of the 2018 elections, and establish a set of best practices that, with continual updates, supports elections infrastructure security into the future. We expect many elections systems will already incorporate the majority of these mitigations, allowing those jurisdictions to demonstrate a strong baseline. In that case, the handbook can assist in prioritizing for continual improvement and evolution.
This handbook is divided into three parts that together provide a baseline view of how to manage cybersecurity risk in elections:
- Part 1: Introduction. This introductory section describes this handbook and provides some general information on risk assessments in elections systems.
- Part 2: Elections Systems and Risk. The second part introduces a high-level generic elections architecture, some components of which may exist at the state level, some at the local level, some both, and some not applicable in certain jurisdictions. It also classifies these common components of elections systems according to the manner in which they are connected to networks or other systems. For each major component of the generic elections infrastructure, there is an overview and description of how it fits in the elections landscape and a brief description of the risks and threats associated with the component. Finally, it summarizes the classification-based ways that different implementations of the components are connected to other digital infrastructure.
- Part 3: Mitigating System Risk. The third part is a technical best practice guide that provides controls and recommendations for systems. It includes two major sections: 1) a set of critical risk-mitigating activities that can benefit any organization and 2) a set of technical best practices for users, devices, software, and processes that are listed first for components that are network connected and then for those that are indirectly connected. We also provide technical best practices that address transmission of information among digital components of the elections infrastructure. As described below, the nature of the connectivity to other elements of the elections digital infrastructure is the major security vulnerability area and thus we have chosen this connectivity as the basis for organizing technical controls. Technical staff, whether government or contracted resources, should be able to implement these controls to provide an appropriate mitigation of risk.
What this handbook is not
A shortcoming of many efforts in domains as large as IT security and elections is a failure to properly scope efforts. In addition to describing what this handbook is, we want to be explicit about what this handbook is not.
Aspects of elections, voting, and protecting democratic institutions that are not part of the scope of this handbook are not an indication of importance, but rather an acknowledgment that no single effort can successfully address everything. This handbook limits its scope to only digital aspects of elections themselves, though in some cases it references paper-based processes in order to further the discussion. The one exception to this is the recognition of how the means of transmission can inject cybersecurity risks, such as digitally transmitting to-be-paper pollbooks to a printer. In these cases, we identify the transmission risks in Part 2 and the mitigations to transmission risks in Part 3.
Beyond this, there are several aspects of election security we do not address. This handbook is not:
- A one-size-fits-all. This handbook does not recommend any single approach to managing election systems or developing and deploying elections systems technology. Election jurisdictions tailor their voting processes and systems to the needs of their voters and jurisdictional laws and requirements. That said, there are many commonalities. Rather than focus on differences of approach, this handbook focuses on the best practices associated with common approaches, recognizing the variety of approaches and architectures wherever possible.
- An all-encompassing scope. As this handbook is about improving the security of elections infrastructure as it exists today, we have intentionally left several aspects of the broader voting process, however important, out of scope:
- Eligibility for an individual to register to vote; o Voter identity verification, unless specifically about the accuracy and availability of voter registration rolls;
- Security of campaigns or campaign information systems; and
- The accuracy of information about candidates or issues, including those conveyed using social media.
Assessing risk in elections systems
A common way of describing an organization’s cybersecurity posture is in terms of risks that have been mitigated and risks that have been accepted. Those outside the information security community will often think of security in terms of stopping all possible threats. Both within the community and in the legal domain, practitioners understand that perfect cybersecurity is not possible. Rather, organizations seek to achieve “reasonable” security that involves accepting some level of risk given the threats and potential consequences, while maintaining an ability to recover should any of those consequences be felt.
Elections systems risk overview
The IT systems infrastructure that supports our elections processes has myriad risks, and these risks vary from one organization to the next. There are a number of commonly used risk assessment approaches that can be used by election officials and their technical staff to help assess risk, such as International Organization for Standardization (ISO/IEC) 27005 and National Institute of Standards and Technology (NIST) Special Publication 800-30. Among the most popular tools for understanding and managing cybersecurity risk is the NIST Cybersecurity Framework, which organizes cybersecurity activities in five functions: identify, protect, detect, respond, and recover.
Unfortunately, many election officials do not have the expertise or resources to conduct an adequate risk assessment. The ability to efficiently and effectively execute a risk assessment is further reduced by the difficulty in objectively assessing evolving threats, as well as the complexity of the elections processes and systems.
In its simplest form, a risk assessment is used to identify and assess the impact of vulnerabilities— weaknesses that an attacker can exploit—while being mindful of the compensating controls that exist in a system. These risks can be mitigated with appropriate physical, process, and technical safeguards. In this way, risk and potential impacts can be reduced to a level deemed acceptable by the accountable election officials, often called a balanced risk posture. The potential impact or consequence of a successful exploit is an important part of a risk assessment as elections officials want to focus first on exploits that have the greatest potential consequence. While some risks vary from one election jurisdiction to another, many are common across the wide variety of elections systems configurations. As part of producing this handbook, experts have collaborated to assess the common risks to elections systems. This common baseline risk assessment has influenced the prioritization of security best practices in the handbook.
Baseline elections risk assessment
The baseline assessment of risk for elections is summarized for the purpose of helping election officials and their technical staffs understand the major areas of risk that can serve as their primary focus. Each organization should augment the baseline elections risk assessment to address the risks that might be unique to their elections processes, systems, and threats.
Examples of threats and consequences
A nation-state uses the internet to access and disrupt one or more state voter registration databases such that legitimately registered voters are denied the ability to vote on election day, or are required to file a provisional ballot.
Although no votes are manipulated, this attack would likely be a major national news story that results in reduced confidence by the public in the integrity of the voting process and the election results. Additionally, this slows the voting process, creating the risk of long lines and making in-person voting less efficient.
An adversary gains access through the internet to one or more election night vote displays and changes the displayed results such that the real winner of the election is now the reported loser in the election.
Again, while no votes have been changed, and the erroneous posting of election results by an authoritative source will subsequently be republished correctly, there is likely to be a significant loss of voter confidence.
A top-level assessment of vulnerabilities and potential consequences to the elections systems infrastructure identifies network connectivity—devices or systems that work with other devices or systems to achieve their objectives—as the major potential vulnerability. The reason is simple: given an adversary with sufficient time and resources, systems that can be accessed via a network cannot be fully protected against compromise. There are ways to improve the security of network connected systems with additional controls, but the inherent complexity of network connectivity results in significant residual vulnerabilities.
Therefore, risks for system components that are connected to a network should be treated differently than for components that are never connected to a network. In this handbook, the definition of “network” includes connections to the internet as well as connections to both local wired and wireless networks.
While systems that are continuously connected to a network have a somewhat higher risk than systems that are only intermittently connected to a network, experts have demonstrated that any network connectivity, even if only for a limited period of time, results in a significantly larger vulnerability profile. An access path to these components may be available through the internet if any connected component can access the internet, and thus an attack can be orchestrated from anywhere in the world. The box above illustrates examples of these threats.
On the other hand, systems that have a digital component but are not network connected have a reduced vulnerability profile. Specifically, there are fewer ways to attack such systems and devices, but it does not mean the consequences of a successful attack are any lower—indeed, an attack can still be executed without geographic boundaries. The methods used to upload and download information (e.g., USB sticks, memory cards) still have vulnerabilities, but there are fewer vectors of attack to mitigate.
Three classes of elections systems
In this handbook, we have organized best practices into two classes based on the different threat characteristics associated with levels of connectedness. A third class, that of processes that are executed without a digital component, such as hand-counted paper ballots—the casting and counting of ballots via purely paper and manual means—is out of scope for the handbook.
While there are many components to a complete election system, many of the cybersecurity risks associated with them can be grouped to simplify the steps to manage risk. One approach to this is by analyzing the manner in which they connect to networks and other devices. Throughout this handbook, we classify components of elections systems based on three types of connections that most clearly define the risk landscape:
- Network connected systems and components. Network connected components are interconnected with other devices to achieve their objectives. The level of interconnection, while providing various benefits, also introduces additional risks that must be taken into consideration when managing the lifecycle of the device. Most network connected devices will provide a remote means for accessing and managing the devices, which means organizations must make extra efforts to protect access to those capabilities. Network connected devices do not necessarily have to be connected to the internet, nor does their connection have to be persistent. As an example, an Election Management System (EMS) connected to a private county network would still be classified as a network connected system.
- Indirectly connected systems. Indirectly connected components are not connected to a network at any time and are not persistently connected to other devices. They do, however, have to exchange information with other elections system components including network connected systems in order to complete their objectives in the election process. These information exchanges are done using removable media such as USB drives or other flash media. While the risks associated with being connected to a network or the internet are no longer relevant, threats are introduced by exchanging information with other devices, either through the use of removable media or a direct connection to another device such as a printer or an external disk drive.
- Non-digital elections components. These are aspects of the elections process that have no digital component and are out of scope for this handbook. An example would be the mailing, completing, and returning of a paper mail-in ballot. While aspects of the overall process—such as an online request for the ballot—may leverage digital infrastructure, the aspect of this process that is purely paper-based is out of scope.
In Part 2 of the handbook, each major component of an election system is briefly described and then placed into one of these classes, providing a method to simplify the risk landscape and assist officials and their technical staff in determining the most effective and efficient approaches to managing risk. In some cases, major components are divided into the primary approaches to executing a process, such as the different approaches to conducting vote capture, each of which is classified individually. This classification analysis becomes the foundational basis for an elections organization selecting the appropriate technical best practices for that component described in Part 3 of the handbook.
Transmission between components creates vulnerabilities
While securing elections systems components is important, one of the largest sources of vulnerabilities, and thus most common methods of attack—attack vectors in cybersecurity parlance—lies not in the systems but in the transmission of data between systems. Weaknesses in communications protocols, or in their implementation, risk exposure or corruption of data, even for systems that are otherwise not network connected. For instance, while paper pollbooks wouldn’t typically have cybersecurity risks, if the data for the pollbooks is sent electronically to a printing service, this transmission introduces risks that must be addressed. Similar vulnerabilities exist in transmission of ballot layout information to printers or in loading ballot information into ballot scanning (i.e., vote capture) devices. In Part 3, we also address transmission risks of this nature and the best practices that can mitigate them.Part 2: Election Systems and Risk
Information Hub : Elections Resources
Advisory • 19 Jul 2018
Advisory • 14 Jun 2018
Advisory • 13 Jun 2018
Advisory • 08 Jun 2018