Combating U.S. Election Cyberthreats
Government elections across the globe face huge cybersecurity concerns, but no more so than the upcoming U.S. presidential election in November. The entire process presents numerous opportunities for cyber hackers to skew the electoral process or even the result of the election itself. From cyber hackers infiltrating voting machine software, voter registration systems and electoral offices during the election to the misuse of platforms such as social media to plant misinformation prior to the election, every part carries a risk.
Twitter’s recent cyberattack shows how easy it really can be for cybercriminals to impersonate powerful and trusted people and that politicians are not exempt from this. Additionally, it showed how the security of the election could actually be out of the hands of the electoral offices and candidates themselves, with the influence of social media platforms posing a huge risk to the integrity of the election.
Ahead of the 2020 U.S. elections, foreign states will continue to use covert and overt influence measures in their attempts to sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the U.S. and undermine the American people’s confidence in the democratic process. They may also seek to compromise the election infrastructure for a range of possible purposes, such as interfering with the voting process, stealing sensitive data or calling into question the validity of the election results.
These risks have only been heightened by recent concerns about China, Russia and Iran’s involvement in targeting the U.S. election infrastructure in the lead up to November’s election, according to a recent statement released by the Office of the Director of National Intelligence, NCSC Director William Evanina, on Aug. 7. Furthermore, research shows that the majority of state and local election administrators will need much better technologies to protect themselves from cyberthreats and less than 30% have basic controls to prevent phishing. There is clearly work to be done.
How Can Electoral Offices Protect Voting Data?
Electoral offices are running out of time and their worries are only increasing. This is demonstrated further by the launch of Election Cyber Surge, which functions as a matchmaker service, connecting U.S. election officials concerned about cybersecurity with volunteers who are experts in the field. Officials will choose an area of particular weakness and then choose from a list of volunteer helpers. But, according to many security awareness advocates, while the project could potentially be helpful, involving a brigade of volunteers in election security offers no guarantee that any effective cybersecurity strategies will be implemented.
The threat is rising and actions need to be taken. But what steps can electoral offices take to ensure they don’t become the next victim?
Election Security Is a Local, State and Federal Partnership
Electoral offices have a plethora of data to protect; sensitive information including but not limited to Social Security numbers, addresses and dates of birth. Given this, it’s an issue that even the Department of Homeland Security (DHS) recognizes as a top priority. In a statement, the DHS declared:
“A secure and resilient electoral process is a vital national interest and one of our highest priorities at the Department of Homeland Security. We will remain transparent as well as agile to combat and secure our physical and cyber infrastructure against new and evolving threats.”
To help electoral offices, an election infrastructure was designated as part of the nation’s critical infrastructure under the Government Facilities sector in January 2017. Under the designation, DHS—through its Cybersecurity and Infrastructure Security Agency (CISA)—provides an array of services that state and local election officials can utilize to reduce both cyber and physical risks to their election systems and facilities. The designation allows DHS to provide services on a prioritized basis at the request of state and local election officials.
For example, in the State of Texas, any electoral contract for the acquisition of a voting system must be (1) in writing and (2) approved by the Secretary of State. This approval is required to ensure that the voting system being acquired complies with applicable state requirements and verifies that the system delivered is certified by the Texas Secretary of State. Also, the voting system must be validated with specific instructions on how to validate the software that is being installed and used on a voting system with the same software that was certified by the EAC.
It’s Not Network Security, It Is a Data-first Mindset
It’s a popular topic of conversation, yet many electoral offices are still placing too much emphasis on protecting the network infrastructure, which cannot always protect voter data. Therefore, the issue is not so much with the network infrastructure itself, but securing the data within the network in a bid to keep out malicious actors.
In reality, the question shouldn’t be whether a platform itself is secure; the focus instead should be on keeping the data secure as it travels within and outside of the network. For example, by using methods such as crypto-segmentation, electoral offices can create fine-grained policies whereby keys are automatically rotated, thereby keeping data and the keys to this data safe and secure. This security control is simple to deploy and enables policy enforcement at a very granular level, thereby increasing the complexity for any cybercriminal trying to exploit a network and targeted data and eliminating a potential data breach.
Prioritizing Election Data Security
U.S. electoral offices have many issues to think about at the moment, but cybersecurity doesn’t have to be one of them. With a data-first approach to cybersecurity, electoral offices can focus on their election strategies and campaigns, whilst their data will be kept secure regardless of new technology or equipment added to the network. Time is ticking, and the electoral game is fully underway. But who will win the cybersecurity race, electoral offices or cybercriminals?
