CIS Logo
tagline: Confidence in the Connected World

A Guide for Ensuring Security in Election Technology Procurements

Part 2: Security Risks

Assessing Risk

All IT has risks. Efforts to mitigate some risks inevitably leave other risks unaddressed. Leaders must determine which risks are acceptable in the face of limited resources. To understand and prioritize their risks, all organizations should conduct regular risk assessments. Risk assessments can be sorted into two categories:
  1. Self-assessments: In-house risk assessments are generally faster and less expensive while still providing useful insight into your cybersecurity posture.
  2. Independent assessments: Because they are conducted by outside assessment specialists, independent assessments usually cost more and take longer, but they are more objective and thorough. Where time and resources permit, they are preferable even when an organization has deep cybersecurity experience.
CIS offers a free assessment tool based on the best practices in A Handbook for Elections Infrastructure Security. This tool can be used as a self-assessment tool or used by an independent assessment specialist, and provides a consistent approach for election organizations to assess their own practices as well as track progress over time. For more information, click here.

Organizational Risk

In a baseline risk assessment of election infrastructure described in A Handbook for Elections Infrastructure Security, CIS identified that the highest level of risk stems from those systems that are network-connected—connected to any network (not just the internet) at any time. This category includes most voter registration and election night reporting systems, and may also include some election management systems, e-pollbooks, and, in some cases, tabulation systems. Officials must make assessments of individual systems used by their organizations. Election officials should confirm that voting machines are not network-connected, but these machines may still have substantial risks that require prioritization. Systems not connected to a network still require careful assessment and prioritized mitigation of risks. These indirectly connected systems are never connected to a network. The exchange of data between them, and with other systems, occurs indirectly through removable media such as USB drives. Beyond network-connected and indirectly connected systems and devices, an additional area of risk involves the transmission of data between systems. For example, ballot definitions and PDFs may be well-protected in the jurisdiction’s systems but have risk introduced when they are emailed to a third-party ballot printer. These risks can and should be managed, and part of that process is understanding and managing cybersecurity risk in IT procurement.

Individual System Risk

Once you understand the overall risk to your organization, you can prioritize actions and resources to reduce risks in individual systems. For procured IT, this means ensuring that your requests for proposals and your contracts include requirements for desirable system properties and mitigations. Crafting those requirements demands a cost-benefit analysis, as most security controls impose a cost of some kind. Mandating that a vendor implement all possible security controls might be impractical or undermine business objectives. We don’t recommend applying all of the best practices in this document to every system. Rather, some best practices should be implemented on all systems, others only on operational systems, and some only on critical systems. For instance, some basic website security measures should be applied to any system (so long as it has a website), while there are some advanced malware detection approaches that are expensive and difficult to implement and thus we recommend them for only critical systems. In the best practices section of this guide, we recommend one of these three classifications for systems applicability for each best practice:
  1. All systems: The best practice is a reasonable investment to expect for any type of election system. It is vital to ensure mitigation of the most common threats.
  2. Operational systems: The best practice is a reasonable investment for systems that are important to successful election operations and thus carry greater risk. Systems with other security mitigations, backups, etc., may not need this best practice. Procurements of all critical systems and those with relatively high risks should implement the best practice.
  3. Critical systems: The best practice is necessary only for critical systems, which is those with the highest consequence of a successful attack. These are typically the most expensive and difficult to implement best practices; requiring them will likely have an appreciable impact on the cost of your procurement but are likely necessary to reduce risk to an acceptable level.
These classifications serve as a starting point for differentiating between different types of systems in the elections technology procurement.

Information Hub : Elections Resources


Pencil Blog post 13 Feb 2020