×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In Cloud Security CIS Cloud Security Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite®
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Secure Your Organization


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

EI-ISAC Cybersecurity Spotlight – Encryption

What it is

Encryption is the process whereby data is converted from a readable form (i.e., plaintext), to an encoded form (i.e., ciphertext). This encoding is designed to be unintelligible except by parties that possess a key to reverse the encoding process. This reversal process is called decryption. Data is encrypted using a mathematical algorithm that relies on passcodes (keys) that are typically randomly generated. The most trusted encryption algorithms are considered secure because they have been publicly available for years and have not been broken. An attack on data encrypted with a trusted encryption algorithm could take years for even the most powerful computers to break.

There are two types of encryption: asymmetric (public key) encryption and symmetric (private key) encryption.

Asymmetric Symmetric
Keys 2 keys – public (to be shared) and private (secret and possessed by only 1 person) 1 key – private (secret but shared between two or more partners)
Process The sender encrypts information with recipient’s public key and the recipient decrypts information with their private key The sender encrypts information with a private key and the recipient decrypts information with the same private key
Speed Slower Faster

 
An easy way to understand these two types of encryption is two different types of lockboxes. In symmetric cryptography, you have a lockbox with one slot for a key. You make two copies of the key, and you give one to your friend. You lock the box with your copy, and when your friend comes along, they use their copy of the same key to unlock it.

Asymmetric cryptography is different. It’s more like a deposit dropbox at a bank. The bank publishes the location of the dropbox (the public key), and once you drop your deposit into it, it’s secure until the bank opens the box with the one and only copy of their key (the private key). Anyone can make a deposit once they know the location of the box, but only the bank can get deposits out.

Why does it matter

Encryption allows for the confidential storage and transmission of data, as well as proof that it originated with the person who claims to have sent it. Encrypting personally identifiable information (PII) with good encryption algorithms protects the data from accidental disclosure in the case of a data breach or malware infection. Elections offices may maintain a number of systems that utilize encryption and are responsible for identifying data that should be encrypted. This may include emails containing sensitive data, user connections to election office websites, stored passwords, financial information, voter registration records and databases, vote tabulation data on voting machines, and the transmission of election night results.

What you can do

Implement encryption when data is at rest (e.g., stored in a database or on a device) and in transit (e.g., sending through email) and ensure your election office’s adherence to encryption standards. The National Institute of Standards and Technology (NIST) Special Publication 800-175B provides the U.S. federal requirements for encryption standards to secure data at different sensitivity and/or classification levels. NIST Special Publication 800-122 provides the U.S. federal requirements for protecting the confidentiality of PII. For recommendations on where to implement encryption for election-related systems, please see best practices 4, 8, 9, 12, 46, 52, 83, and 84 of CIS’ A Handbook for Elections Infrastructure Security.

---

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact elections@cisecurity.org.