Recently, the Local Democracy Initiative Cities Vote team spoke with Lewis Robinson, the Vice President of Elections Operations at the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). The EI-ISAC was established in 2018 to support the cybersecurity needs of the elections subsector. The EI-ISAC is one of many ISACs, which were first created in response to Presidential Decision Directive-63 (PDD-63) in 1998, which asked each critical infrastructure sector to establish sector-specific organizations to share information about threats and vulnerabilities. In addition to the EI-ISAC, local governments may also participate in other relevant ISACS, including the Multi-State ISAC for State, Local, Tribal, and Territorial Governments, the Surface Transportation ISAC, or the Water ISAC.
Where can local leaders start in developing and integrating a cybersecurity plan into emergency preparedness?
Many jurisdictions already have plans in place for hurricanes, tornadoes, and power outages as required by their state election office. Local leaders should add a cyber incident response component to their existing Incident Response Plan. They can contact their local or state emergency management office for assistance in crafting their response plan. Another resource for developing a cyber incident response plan is the CISA Cyber Incident Detection and Notification Planning Guide for Election Security. The key here is to work with their local or state Emergency Management offices, who are continually doing incident response planning.
Each organization has many risks they need to consider, and that includes the costs associated with preparing for, responding to, and mitigating a cyber incident. Local leaders have to decide where on the risk matrix it falls, and what resources to allocate.
In addition, we recommend that poll workers have basic cybersecurity training to understand the various cyberthreats and the response to those threats—including basic cyber hygiene knowledge. Poll workers should receive basic security awareness training to assist in spotting suspicious activity or responding to a security incident at a polling place. Whether it’s a fire, a power outage, or something else, they should have the ability and the knowledge to respond to a variety of incidents.
How easy is it to hack a voter registration list, poll book, or vote tabulation system?
Whether something is “easy to hack” is really a measure of risk. Risk is unique for each system and for each deployment of that system. We did an assessment of the risk environment when we first developed our Handbook for Elections Security and the individual systems themselves are hardened against potential risks, such as hacking.
On the whole, election systems use the same consumer off-the-shelf systems you use every day, so they are just as susceptible to hacking as any other technology system; it’s the controls in place around those systems, as well as the backups involved, that ensure security and integrity in election systems. The online voter registration system is not the authoritative list, the authoritative list is usually stored offline and states run data guards and anomaly checks before copying from the online system to the offline system for storage. The vote tabulation systems have logic and accuracy tests conducted before deployment, at the opening of the polls, the closing of the polls, and before being returned to storage, to ensure the software has not been tampered with. Ultimately, risks are reduced by employing technical, administrative, and physical controls. Through our efforts to help election officials, we have seen tremendous risk reduction since 2016.
What is the worst-case scenario for a local elected official when it comes to cybersecurity?
The biggest threat and worst-case scenario for an election official is a ransomware attack—which can potentially cost millions of dollars. That affects their jurisdiction, and they lose access to critical systems during an election period. If their systems lock down and they cannot get into the system, they are unable to conduct the election until the system is back online. Ransomware is a huge problem, not only here in the United States, but internationally. It is important to have backup systems and to have this information available, so if your system is locked, you can reestablish it.
What can localities with limited resources and outdated equipment do to shore up security for elections?
Localities that are faced with these limitations can take advantage of the low-cost or no-cost services available to them such as email security from Microsoft’s Defending Democracy program, Google’s Protect Your Election program, Web Application Protection from Cloudflare’s Athenian Project, and by becoming a member of the EI-ISAC to receive cyberthreat information and cybersecurity services, such as our Malicious Domain Blocking and Reporting service. They can visit www.cisecurity.org/elections to learn more about our no-cost EI-ISAC membership. Since we are adding new features and services to the EI-ISAC membership on a regular basis, those that are already EI-ISAC members can contact us at email@example.com to explore if there are additional cybersecurity defenses appropriate for their organization.
What are the most overlooked aspects of cybersecurity at the local level?
The most common challenges for local entities, which some organizations adhere to, but is worth underscoring, is the necessity of providing easily available technical resources to ensure that software and hardware patches are up to date and limit the usage of end-of-life and end-of-maintenance software and hardware. Recurring security awareness training must be happening in addition to vigorous random phishing campaigns to make sure their staff are applying the lessons of the training.
Can you describe some of the advantages of joining EI-ISAC?
Members receive access to threat information from the federal government and our monitoring of over 700 state, local, tribal, and territorial networks to provide targeted information on the threats impacting election officials. They can also monitor for cyberthreats and vulnerabilities on the open Internet. And they have access to no-cost incident response assistance through our CIRT team and as part of a collaborative partnership among the membership to engage on best practices, lessons learned, and issues impacting their jurisdiction.
For more information on EI-ISAC and to apply for a free membership!