Cybersecurity War Room in the 2020 Election Cycle

About the Program

Category: Information Technology (Best in Category)

Year: 2021

The Maricopa County Information Security Department learned a multitude of lessons from the 2016 election cycle, which saw the first well-documented instance of foreign intrusion into American elections with the purpose of influencing, and if possible changing, the outcome. The team crafted a response to those threats that resulted in a prototypical Election Day dedicated resource called the War Room. The War Room commences two hours before polls open on Election Day and disassembles two hours after the polls close, with teams monitoring the most prevalent threat vectors in twelve-hour shifts. The Information Security Operations team (InfoSec SecOps) provides hourly reports to Maricopa County executives and officials that set threat conditions at green (no real threat), yellow (monitoring for possible intrusion), and red (threat has an impact on election events). Additionally, the team enters a heightened state of security and monitoring in the weeks leading up to the election engaging in active threat hunting for possible threats both internally and externally to the County. The 2020 election cycle was arguably the most contentious in modern history. Between our US intelligence agencies sharing their assessment of foreign meddling and Maricopa County’s own experience from the 2016 and 2018 elections, we knew that a focused and methodical approach in protecting the 2020 election was required. Over the course of the presidential preferential, primary, and general election, Maricopa County Information Security took an aggressive and iterative approach to ensuring that the elections were free from cyberattacks. Throughout the calendar year, we saw multiple tactics employed against the county from a variety of threat actors: nation-states, APTs, hacktivists and individuals. Given the intensity and diversity of these attacks, we found our default incident response (IR) plans insufficient to meet our defensive/communication needs. We developed customized IR plans specific to the 2020 election and through planning, practice, and effective/consistent communications, we were able to successfully defend Maricopa County against cyberattacks from everyone who sought to negatively influence our delivery of a free election.