I. In Focus This Week
States, counties prepare for changing threat environment
Many resources available to elections officials
By Matthew V. Masterson, senior cybersecurity advisor
U.S. Department of Homeland Security
In my role at the U.S. Election Assistance Commission (EAC) and now with the Department of Homeland Security (DHS), I’ve been fortunate to travel the country, interact with state and county election officials, participate in trainings, and witness the advances that officials are making to manage the risks to elections.
While securing election systems isn’t new for election officials, the threat environment changed in 2016 with nation-state actors targeting election systems. The good news is that, election officials are natural risk managers who constantly ask themselves what could go wrong and plan to respond. My job is to ensure that the federal government provides them with all the necessary threat, vulnerability and risk information in order to make those plans and respond.
I’m incredibly encouraged by the willingness of election officials across the country to engage with DHS and form a partnership. So far, officials across 48 states are engaged with us on election security efforts in some way whether through the sharing of information, use of our services or incident planning.
Their participation has been essential in forming an Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), a similar model to what is used in the financial and electricity sectors. This organization provides specific information on malicious cyber activity that could be targeting election infrastructure.
With over 700 members the EI-ISAC is growing fast! This organization is free for election officials to sign up to receive election-specific cybersecurity information. I encourage all state and local elections to sign up at https://learn.cisecurity.org/ei-isac-registration
State and local election officials are also readily leveraging the security services and assessments DHS provides. Whether it is scanning to make certain that the databases and websites are configured properly, or simply phishing training for members of their staff, the election community has embraced the resources DHS can provide as part of their multi-layered cybersecurity strategies.
For more information on the services DHS is providing to state and local officials go here: https://www.dhs.gov/publication/election-infrastructure-security-resource-guide
And this is not to say that states that are not using DHS services aren’t taking the threat seriously, quite the contrary. I’ve been around the country and seen how seriously election officials are taking the threat and how they are continuing to mature as IT managers on top of all the other hats they wear.
For instance, in Indiana they are implementing two-factor authentication on their databases and increasing monitoring. Florida is deploying cyber navigators to their local officials to help support them. Orange County, California just published a comprehensive election security playbook. Denver, Colorado works collaboratively with city IT officials to provide real time threat sharing.
Many are utilizing third-party vendors or in-house services. DHS’s free services are but one of a variety of options that election officials are using to help protect, detect and recover from cyber risks.
State and local governments own and administer elections in this country, and DHS is there to support their efforts. We’re learning how to best help this community to manage their risk. Election officials are making very real progress in improving the resilience of the election process. To effectively learn how to best provide support, we have formal partnership bodies with government and private sector representatives that allow us to convene, share information, and build consensus on how to ensure the security of elections going forward.
The Election Subsector Government Coordinating Council is a representative body of 24 state and local election officials, the EAC, and DHS. It’s no accident that this council is made up overwhelming of state and local officials. Recently that group developed a guidance to help election officials determine how to use recent funding to better secure systems. The great thing about this document, is that it was developed by the election community, informed by the assessments being performed by DHS, and supports broad initiatives to advance security in both the near-term and for elections to come.
The Sector Coordinating Council coordinates between government and private industry, including the major vendors in the election equipment and services market. Vendors on the Sector council are taking advantage of DHS cybersecurity services and information sharing. Recognizing their important role in the process election system providers have been engaged and active partners with DHS.
Sometimes, it seems that so much has changed since 2011 when I first started working on elections in Ohio, but the reality is, that election community has always faced challenges, and maturing the security of this sector is just the next one. Election security has become a national priority – but for election officials, security and contingency planning has always been a priority.
- Next >>