Self-assessment tool for election cyber-security in pilot phase

Key Takeaways

A self-assessment tool for checking election cybersecurity came out in pilot phase June 4, according to Mike Garcia, primary author of A Handbook for Elections Infrastructure Security, published by the Center for Internet Security or CIS.

Garcia alerted participants about the new tool May 23 at the National Symposium on Cybersecurity & Local Government presented by Public Technology Institute (PTI) and NACo.

The self-assessment tool presents a simple set of questions about security practices, Garcia said. Once answered, local election officials will be able to see a dashboard showing their system’s strengths and areas needing improvement.

“We’re hopeful it provides state and location elections officials with a better ability to prioritize and manage their approach to cybersecurity,” he said, “in addition to helping determine how they might best spend any grant funding they receive through the EAC [Election Assistance Commission].”

Learn More

A Handbook for Elections Infrastructure Security

Has your state requested HAVA Election Security funds?

CIS is the umbrella organization for the Elections Infrastructure Information Sharing and Analysis Center or El-ISAC, a free service that offers the self-assessment tool among other ways to help governments with elections cybersecurity. Since El-ISAC’s formation was announced in March, the center has gained more than 600 registered members, including nearly 550 local elections offices.

Anyone hacking into an election is “not just trying to change votes — it’s about undermining the reputation of democracy,” Garcia said.

An attack on elections infrastructure is different than a cyberattack on say, the Department of Motor Vehicles, “because there’s no backup for Election Day,” he said.

Attackers’ goals, he noted, include information theft, espionage, sabotage, defamation or blackmail of targets. In addition to damaging the country’s reputation, their motivation can also be to change votes.

The 2016 presidential election was the “shot across the bow,” from hackers, and election officials today need to prepare, Garcia said.

The most substantial risks are to components that have network connections.

Training for independent assessors is in early development with training to possibly begin this fall, he said.

“We hope to have training for independent assessors up and running before the fall, but most likely it won’t have a substantial impact on elections operations until after 2018,” Garcia said. “Our hope is that elections organizations do a self-assessment as an immediate measure, with both self- and independent assessments occurring regularly going forward.

“We will be ready to train both private and public organizations that wish to conduct these assessments; we simply want to see a greater availability for elections organizations, as well as a more standardized approach to the assessments themselves. We think there are many organization that are or could be qualified to conduct assessments, but it can be hard to shop around when there isn’t a strong standard of what the assessments should look like.” 

States are receiving notification of $380 million from the federal government to shore up election security, according to the Silver Spring, Md.-based U.S. Election Assistance Commission, which is disbursing the funds. 

Counties administer and fund elections at the local level, overseeing more than 109,000 polling places and coordinating more than 694,000 poll workers.