Part 1: Build a rock-solid election security foundation that wins voter trust
When building a skyscraper, you don’t start constructing it from the top down. That would be impossible and absurd at best. We all know that in order to build a strong and secure structure, you need to start at the bottom; you have to establish a strong foundation in order to have a structure with integrity. Skyscrapers require a very deep foundation; in some cases, the foundation is nearly half the size of the building that is above ground.
The same is true with elections ─ especially since they’ve been designated as critical infrastructure in the U.S. The process of conducting elections can no longer happen behind closed doors (nor should they).
A country that once largely trusted the process has had many powerful leaders, organizations and laypersons sow seeds of doubt, discord and distrust about the legitimacy of our elections.
As a result, election administration can no longer operate under the radar, and the closer someone gets to the process, the greater the interest in every nuance encountered along the way. That’s why we’re helping election officials demystify the process with this blog series on election security.
A strong security posture should incorporate, at a minimum, all the critical and high priority protections as identified by the National Institute of Standards and Technology (NIST) that are vital for establishing cyber and physical security resiliency. Further, since the backbone of our elections fundamentally rests on two variables, those that participate (our voters) and the votes that are cast by those participating, it is imperative that we focus on protecting systems currently in place that manage both our voters and the votes they cast. These two variables depend completely on the strength of our cyber and physical security posture. We would be wise to never forget the 2016 Presidential election. Every state was targeted by Russia, and they were after vote registration data. A few states were breached but fortunately no data was deleted or altered. We must be vigilant about protecting these election systems.
There are two easy steps to start enhancing election security.
The first is using what you probably already know ─ the free services offered by the Cybersecurity & Infrastructure Security Agency (CISA), such as cybersecurity hygiene scans. Start by working with CISA to implement those scans. The second is to implement multi-factor authentication on your critical election management systems, and any other connected system as soon as reasonably possible.
From there, conducting an election security self-assessment will likely bring to light security components you have not thought of yet. For example, do you have Malicious Domain Blocking and Reporting (MDBR) in place? And, did you know that the Center for Internet Security (CIS) offers MDBR as a free service? If not, work with CIS to get MDBR implemented.
Keep in mind that you can continue to move forward with what you know and a self-assessment simultaneously. The self-assessment will help to identify other areas that need attention. Most states and localities rely on standards developed by NIST to develop their baseline, but there are other tools available that will assess, and help you strengthen, your security posture, such as Integra.
Conducting a self-assessment will ensure you’re aware of every potential vulnerability in your physical and cyber security infrastructure. Self-assessments will bring to light critical areas such as:
- Do you have an incident response plan in place?
- Are vulnerability detection and protection software being utilized?
- Are your voting system storage locations under 24hr surveillance?
- Do you have restricted access to your voting system storage locations and at the polling sites on election day?
Addressing foundational issues in your election security posture can be implemented without having to overhaul your election processes currently in place.
Being honest about your security posture may seem frightening, but once you establish your baseline, no matter how grim it may seem, you can implement a path forward that will better insulate your election processes from the ground up. As a former state election director, one of the more difficult feats was gaining visibility into how our localities were doing with their physical and cybersecurity posture. Self-assessments bring awareness and visibility so you can strategically target areas needing the most immediate attention.
Once our foundation has been established, we can now focus on the perception ─ and, arguably, perception may be more critical, certainly as it relates to increasing voter confidence and trust in our democracy. Let’s take a look at : Part 2: Dismantle voter misperception brick by brick through election transparency.