Voting problems turn the spotlight on confidential data
- By Brent Hansen
- Mar 04, 2020
In the midst of a very competitive set of primaries leading up to the presidential election, IT professionals in all levels of government must ensure voter information is not compromised. Unfortunately, it seems elections officials are learning some difficult lessons lately.
The results of the Iowa caucus, after a limited recanvas, were finally announced only in the second half of February. The New York Times reported similar data errors in the Nevada Democratic caucuses, finding “flaws in the results of at least 9 percent of precincts, including some instances in which delegates appeared to have been given to the wrong candidates.”
Even now, it’s hard to point the finger at the real culprit in the Iowa caucus debacle (and the painfully slow Nevada results). Fortunately, the data was available on paper.
Nevertheless, the large voter turnouts, user errors, untested technology, faulty apps and the cache of voters’ hacker-tempting personally identifiable information continue to make the general election a prime target -- not just for hackers trying to manipulate election results but those who are looking to steal voters’ PII. That makes the encryption of PII is all the more important, especially in voter registration databases.
Encryption inherently applies protection to the data itself so even if a breach occurs, data is still protected. There are three steps to implementing an effective encryption strategy:
- Identify sensitive data. Inventory data and determine what is sensitive. In elections, it may be voters’ information or even the votes themselves. Check data-at-rest in storage, file servers, applications, databases and removable media. Check in both on-premises data centers and cloud and virtual environments. Don’t lose sight of data that travels across networks.
- Protect sensitive data. After identifying data in need of protection, encrypt the data to keep it safe. Apply granular encryption and role-based access controls to data residing in databases, applications, files and storage both on-premises and in the cloud. Again, be sure to secure data also in motion.
- Manage the protection. In addition to employing strong encryption, the cryptographic keys used to lock and unlock encrypted data must be treated with the same level of care. If these keys are compromised, data can be easily decrypted.
Regardless malicious intent or simple user error, the failure in accurately tallying electronic voting results underscores the fact that government continues to battle data breaches and manipulation. Protection must start from the creation of a new data record and go all the way to where it might reside someday in a database backup off site on some tape drive. There can be no gaps.
The struggle is real. It isn't only ransomware or nation-states that can wreak havoc on data security; insider threats, application bugs and even innocent mistakes can create security vulnerabilities.
Remember, the intent of any data breach or compromise isn't always clear. Bad actors are patient and motivated. We must act as if we are under attack every moment -- because we are.
Brent Hansen is federal CTO of Thales Trusted Cyber Technologies.