Have you scheduled your Election Security Assessment yet?

Election security is a topic that has gotten a lot of press coverage lately. Without elaborating on the details of possible gloom and doom scenarios, we are simply going to state that the odds are pretty good that at some point, your election infrastructure may be targeted. Now that we have addressed the elephant in the room, take a deep breath and keep reading, because a security event doesn’t have to be a headline grabbing story.

Let’s go to Potter County, Texas and find out what can happen if you invest the time to plan and prepare. It cannot be stressed enough how important it is for county election officials to be prepared for a cyber event. Melynn Huntley, the Potter County Elections Administrator did just that. She knew that an election security assessment was critical for the county and would serve as a valuable tool for election officials, especially as they prepare for the 2020 elections.

County election security assessments are available in the State of Texas courtesy of funds received through the Help America Vote Act (HAVA). The program allows all 254 Texas counties to undergo an assessment to review county election infrastructures including people, processes, and technology. Similar programs may be available throughout the nation. Melynn took full advantage of her security assessment and it proved to be vital to keeping Potter County’s elections on track last spring.

Here’s what happened. On April 19, the Friday before early voting was to begin, Potter County’s computers were infected with a virus. The IT director instructed everyone to plan for the worst: no phone, email, internet, shared files and no connectivity, which would place the upcoming election in jeopardy. But Melynn and her team were prepared since they had already created a plan that was developed as a result of the assessment.

The plan was then quickly enacted. Jumping to the end of the story, they were able to isolate the election infrastructure from the rest of the county. On the following Monday, elections proceeded as planned. Melynn knew that the election infrastructure was protected and talked to the news media and explained why the department was functioning safely when the rest of the county was shut down. The news media then left them alone and focused on challenges faced by other departments in the county. At the end of the day, the assessment proved invaluable. Showing that the time to create a plan is not during a disaster, it is always better and less expensive to plan versus react and recover.

What happened to Potter County is not unusual nor unique. It could happen anywhere, anytime, across the country. What is unique to Potter County was the plan that they devised ahead of time when they weren’t under pressure. Whether a breach results from a virus or deliberate foreign nation-state actors waging disinformation campaigns, election officials need to avoid doubt and chaos entering the elections process to help to keep the public trust.

The prevalence of persistent, preventable “seams” or vulnerabilities in our election system tools, processes and guidelines leave counties vulnerable. Often tactics used by foreign nation-states to manipulate elections are manifested through attempts at electoral fraud that stem from the successful exploitation of gaps in election system, component chain-of-custody and data tampering.

Election officials need to apply technology and information security across every aspect of the elections process, not just the network. A good election assessment plan will contain many of the elements of a good cyber assessment, but also adds critical elements that are unique in many ways.

While you need to (i) address problems pertaining to the identification of key areas of network protection, (ii) define and prioritize response procedures, and (iii) set up lines of emergency communications – there is more. The process also needs to take into account the following elements specific to election infrastructure:

• A gap analysis of the election process including people, process, and technology security controls. The analysis covers administrative, physical or technical aspects of the election process based on common industry standards (NIST, DHS Guidance, CIS).
• Technical scans that identify vulnerabilities and exposures from an internet accessible and configuration perspective
• A security review that targets potential vulnerabilities in the Voter Registration Database

When all these elements are gathered, a plan is devised with the specifics of the individual county and any unique factors captured. Although the threat elements may be common across the country, the infrastructure, processes and procedures are not one size fits all.

We are less than a year away from our next national election that is already being followed with much interest around the globe. If they haven’t done so already, county election officials need to start right away and make sure that they get ahead of the timeline. Follow Potter County’s example and schedule an assessment as soon as possible. Best case scenario, nobody uses it.