Best practices for election systems security
- By Matt Leonard
- Mar 16, 2018
Before the 2016 elections, the FBI issued an alert to states asking them to check their election systems for traffic from a few specific IP address. In Indiana, that meant sifting through 15 million logons, according to Indiana Secretary of State Connie Lawson, who also heads the National Association of Secretaries of State.
“You have to think about how excited folks were about the 2016 elections,” Lawson said. Websites were getting traffic from candidates filing, candidates getting signatures on petitions, absentee ballots, voter registration and other activity.
The alert from the FBI moved security for Indiana’s election system from a priority to a “hyper priority,” she said.
Since then the state has made a number of changes to tighten election security. Lawson has applied for and received security clearance to get more information from federal officials on the threat. The state migrated its data to a new cloud vendor, and websites and poll books that use election data don’t tap into the actual, live database, but instead access a mirror site that updates on a regular basis.
The state is also piloting of a new monitoring solution from the non-profit Center for Internet Security called Albert, which uses commodity hardware and open-source intrusion detection software to analyze network traffic to find suspicious activity based on known signatures.
The Albert pilot has been up and running in Indiana for only a few days, but CIS plans to expand availability in coming months, Lawson said.
CIS also released "A Handbook for Elections Infrastructure Security," which gives localities 88 concrete ways to secure their own elections systems.
After election systems were identified as potentially vulnerable to hackers, much information has been released to help jurisdictions improve their systems' security, but something was missing, according to Michael Garcia, one of the report authors.
“Even with all these efforts, what we didn’t see was many that were technical, that really provided technical guidance to get something done,” Garcia said.
The CIS handbook translates the technical aspects of election systems security for government leaders less well versed in network protection. “It’s really hard to describe the technical things that are going on from a cybersecurity perspective in non-technical terms,” he said.
The 88 best practices are broken down by priority (high or medium), and all include resources for putting them into practice. High-priority recommendations include implementing application whitelisting and multifactor authentication; medium-priority practices include keeping a custody chain of devices and ensuring user activity is logged and monitored for abnormal activities.
In May, CIS plans to release a web-based assessment tool that would allow localities to input their security practices and receive a report with recommended improvements. CIS is currently conducting penetration testing on it, Garcia told GCN.
CIS is also providing training to organizations, including the National Guard, that could conduct independent assessments based on the guidance in the handbook. The group also plans to release a procurement guide to help elections officials with their purchasing decisions.
Matt Leonard is a former reporter for GCN.