Election Security Spotlight - What are Insider Threats?

What are Insider Threats?

The term “insider threats” describes individuals who are a part of an organization and use their access to steal information or otherwise cause damage to that organization. Insider threats are uniquely dangerous because they may be harder to spot than external threats. Personnel within an organization know details about how systems are structured and where information is stored. Insider threats may have more access to a system (such as administrator privileges) than an outsider; this allows them to bypass existing security systems and move throughout a system undetected to steal information or cause damage.

How They Impact Election Offices

For election offices, insider threats could attempt to breach voting systems, steal sensitive data on voters from internal databases, or otherwise seek to damage and disrupt the electoral process. Insiders in the elections space could also use their access to let others into secured areas, bypassing controls that limit access to sensitive areas. Attackers could use information stolen from election offices to further mis/dis-information narratives or sell it to others seeking access to systems.

Seasonal employees such as temporary workers in your office and volunteer poll workers pose a potential cyber risk to election offices. These individuals may not undergo typical levels of vetting. They could attempt to use their access to steal information or otherwise interfere with elections. These seasonal workers may also be unfamiliar with the equipment they are using and may become accidental insiders by misconfiguring a system, falling for a phishing scam, or otherwise unintentionally allowing attackers into systems.

What You Can Do

  • Limit the level of access individuals have to systems (principle of least privilege). Typically, personnel should only have access to the systems they need to carry out their assigned tasks.
  • Implement network monitoring and logging to catch suspicious activity, such as contacting an unusual IP address or website or providing a record to review in the event of a suspected breach.
  • Use layered security, including Albert sensors and Endpoint Detection and Response (EDR).
  • EDR offers advanced capabilities, including asset inventory, application inventory, and user account monitoring. For more information, please email [email protected].
  • Install surveillance systems in sensitive areas, and ensure that the feeds are available to key personnel.
  • Back up critical systems as frequently as possible, and consider using off-site and offline backups to limit the ability of someone to tamper with them.
  • Properly vet new hires, temporary employees, poll workers, etc.
  • Review and follow recommendations included in CISA’s Election Infrastructure Insider Threat Mitigation Guide