Episode 20: The State of Election Cybersecurity

In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Kathy Boockvar, Vice President of Election Operations and Support and Marci Andino, Sr. Director of the Elections Infrastructure Information Sharing and Analysis Center, or EI-ISAC. Together, they discuss the state of election security for state and local governments.



Election Security Differs from State to State

In the Unites States, elections do not follow an identical process from state to state. Not only is the process different, but the stakeholders involved in that process differ as well. Andino explains that the Secretary of State, a third party company, state institutions, and town clerks all could be making decisions about how an election is run. Responsibility falls on many different people working together to keep the election process secure.

For example, Pennsylvania is a decentralized system with 67 counties. The Department of State, the Information Technology Management Association, and the National Guard all work together at the state level to communicate information across all the counties. These groups also work with the Department of Homeland Security (DHS) and CISA (Cybersecurity and Infrastructure Security Agency) at the federal level to learn about threats outside of the state that they should be protecting against.

Centralized vs. Decentralized Election Security

There is a benefit to making everything the same, and it is that you can see everything more clearly and changes and communications can be made more easily. However, if there is one mistake, it affects all facets of the system. When it comes to election security, a hybrid of both centralized and decentralized practices makes for a more secure election process and protects against cyber-threats.

With state and federal governments should be working together on the standardization of certain aspects of the election process, hours for voting or setting up polling offices could be the same across the country. This could increase voter trust in the process.

Decentralization helps with cybersecurity as it offers more complexity and difficulty for an attacker. For example, the Department of State has the authority to certify which voting systems can be used by the states (and their configurations of those systems); among those certified systems, a county can choose whichever system they want to use. That means that there a many different voting systems and configurations across the state, and ultimately the country, for an attacker to have to hack.

Voter Confidence for the Election Process

Cybersecurity for elections is not new. It may just seem that way given the increasing expansion of technology. Security is built into the system at every level from the voter registration database to end users and volunteers. Boockvar breaks it down into four parts:

  • People – Local individuals, fellow voters, are running the elections and are being trained on how to keep voting secure.
  • Process – There is a process to register to vote, different ways to submit a ballot, the validity of a voter checked among many databases, and more.
  • Science – There is a vast ecosystem behind the security of an election. Many moving parts are working and communicating non-stop to make the process work.
  • Math – Audits are mandated across the state and are continuously monitored throughout an election.

Tools for Elections Offices

Training and tools for workers at every level of the elections infrastructure is imperative. Using tools and resources to prevent an attack is just as important as educating volunteers on phishing, basic cybersecurity risk, and insider threats. Some resources that are available to states are:

  • Endpoint Security Services : CIS Endpoint Security Services provides endpoint detection and response (EDR) protection against cybersecurity threats in remote and hybrid work environments, protecting devices regardless of the network they are connected to.
  • Malicious Domain Blocking and Reporting (MDBR): MDBR technology prevents connection to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats.

Many resources are available at no cost to U.S. State, Local, Tribal, and Territorial elections entities through the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Through the EI-ISAC, election agencies will gain access to an election-focused cyber defense suite, including sector-specific threat intelligence products, incident response and remediation, threat and vulnerability monitoring, cybersecurity awareness and training products, and tools for implementing security best practices

The most important thing to remember is that voters are people, but those running the elections are also just people. We want to thank and support those helping who are keeping our elections secure, not just during an election, but all year round.