CISA flags election system threats ahead of midterms
The Cybersecurity and Infrastructure Security Agency and the Elections Infrastructure Information Sharing and Analysis Center are urging state and local election officials to secure their systems.
To help state and local officials with election security ahead of the midterm elections, organizations are issuing advice for supply chain risks, insider threats and strengthening election systems’ cyber defenses.
The Cybersecurity and Infrastructure Security Agency on June 30 released information on mitigating supply chain risks to election infrastructure, including hardware, software, services and paper supplies.
CISA advises election offices to deploy a robust supply chain risk management plan that identifies the security concerns with products and components they must buy. Suppliers should be identified and continually monitored to ensure they meet the latest supply chain management security policies and procedures. Election officials should also continually monitor their vendors, anticipate higher costs and longer lead times for products and be sure their budgets and processes can accommodate delays.
The security agency also recently warned of insider threats to election systems. Whether by accident, through negligence or intentional, insider threats risk the confidentiality, integrity and availability of election systems and information. Electronic threats include viruses, data breaches, denial of service attacks, malware or attacks on unpatched software – as well as the spread of election-related mis-, dis- and mal-information, CISA said in a recent guide.
Insider threats can be mitigated by the use of standard operating procedures and access control processes, such as logs and video footage. Using the principles of zero trust to validate a user’s identity at every request for access will provide the granular information needed to secure systems. A chain of custody will produce an auditable record of transfers and transactions, enabling detection of a potential threat if there is a gap in the chain, the guide said.
“Effective insider threat mitigation requires that organizations foster a positive, supportive culture that encourages employees to report unusual behavior,” the guide states. It requires transparent and consistent reporting processes that both staff and the public understand will be taken seriously and handled appropriately. “Election infrastructure stakeholders should emphasize that contribution toward this goal is shared by everyone in the community, including staff, vendors, and volunteers involved in administering elections,” CISA said.
The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), meanwhile, launched the Cyber STRONG Campaign, which highlights six steps election offices can take to bolster their cyber defenses:
- Stay connected: Election offices should sign up for EI-ISAC membership so they have easy access to a community of 3,000+ election offices and election-specific cyber threat intelligence. Membership also includes no-cost web security and endpoint detection and response services to help protect election IT systems against cyber threats.
- Train and communicate: Tabletop exercises can help cybersecurity teams develop tactical strategies for securing their systems, and regular communications with staff can help them learn to avoid phishing schemes.
- Ready your network and devices: Offices can sign up for EI-ISAC’s no-cost web security solution, Malicious Domain Blocking and Reporting, and device-level cyber defense for workstations and servers through the no-cost Endpoint Detection and Response service.
- Own your environment: Identifying and reporting misinformation can help reduce the spread of false information about elections.
- Nurture your cyber strength: EI-ISAC’s Essential Guide to Election Security can help election officials build a program designed to meet individual needs and abilities.
- Go tell your story: Officials can raise public confidence in local elections by sharing their story and driving voters directly to election officials’ websites and social media pages.
"At the end of the day, the responsibility for election cybersecurity rests with election officials,” said Trevor Timmons, EI-ISAC Executive Committee chair and chief information officer at Colorado Department of State. "The Cyber STRONG campaign is intended to frame steps that will help election offices achieve solid and specific cybersecurity measures to support secure elections in their jurisdictions."