10 Best Practices from Belfer Center’s New Election Cybersecurity Playbook
[Screenshot image via belfercenter]
Last week, the Belfer Center for Science and International Affairs at the Harvard Kennedy School of Government released an election cybersecurity playbook for state and local election officials. The document is absolutely jam-packed with information and advice on this critical issue – with the most important top-level information included in a list of “10 best practices that apply to all election systems.” That list is below:
1. Create a proactive security culture. Risk mitigation starts with strong leaders who encourage staff to take all aspects of election security seriously. Most technical compromises start with human error—a strong security culture can help prevent that. A strong security culture also makes a big difference as to whether a malicious actor: (1) chooses to target an organization, (2) is able to successfully do so, or (3) is able to create public perception that the organization has been compromised. Any state could experience a cybersecurity threat to their elections process—it is the job of leaders to make sure they are prepared.
- Lead by example. Senior leadership, especially Secretaries of State, Election Administrators, and other heads of municipal jurisdictions, need to set an example for the rest of the organization. Issue guidance about the necessity of applying cybersecurity standards (such as those recommended in this Playbook), stressing the importance of cybersecurity for staff by personally introducing orientations and trainings, and following up with operations personnel on a regular basis about the implementation of improved cybersecurity protections. Leaders also need to ensure that those charged with implementing a cybersecurity program have the authority to enforce policies and procedures. Without enforcement, these are only words on paper.
- Develop a detailed cyber incident response plan. As with contingency plans for physical threats, teams should understand critical election system vulnerability points and create a detailed response plan (both internal processes and communications) for any system compromise. Leadership should also mandate frequent testing of critical systems to ensure both their resilience and officials’ comfort with crisis management. Officials should extensively document any real or simulated incidents and review these periodically for training purposes.
- Use external resources to assist in improving cyber defense capabilities and building expertise. Department of Homeland Security and private sector technology companies are available to provide support for prevention and detection. Recognizing Constitutional and other legal restraints, National Guard cyber units, operating under state authorities, can also be a resource to help identify network vulnerabilities. These units are often made up of highly trained professionals involved in private sector cybersecurity.
- Be diligent in selecting who is involved in election administration. Election systems qualify as national critical infrastructure, which raises the security expectations for those involved. Conduct background checks on all personnel involved in accessing sensitive information and privileged systems. Require vendors to do the same.
- Safeguard computers and digital devices that touch the process, regardless of whether they are owned by a vendor, the state or local government, or are the personal device of an official or volunteer.
- Centralize and streamline device security management by incorporating election offices into existing technology security plans.
3. Have a paper vote record. To protect against cyber attacks or technology failures jeopardizing an election, it is essential to have a voter-verified auditable paper record to allow votes to be cross-checked against electronic results. Without a paper vote record, accuracy and integrity of the recorded vote tally depends completely on the correctness and security of the machine’s hardware, software, and data; every aspect from the ballot displayed to the voter to the recording and reporting of votes, is under control of hardware and software. Any security vulnerability in this hardware or software, or any ability for an attacker to alter (or reload new and maliciously behaving) software running on a machine that does not produce a paper record, not only has the potential to alter the vote tally but can also make it impossible to conduct a meaningful audit or recount (or even to detect that an attack has occurred) after the fact.
- Create an auditable paper record for every vote cast that is verified by the voter to ensure if the electronic vote count is maliciously altered, a true record still exists on paper. Make sure that this verifiable paper record has a rigorous chain of custody associated with it.
4. Use audits to show transparency and maintain trust in the elections process. Audits are a mechanism to detect intrusions or manipulations on electronic systems that may go unnoticed and reassure the public that the elections process works. This is an important part of the public engagement strategy that builds confidence and demonstrates transparency. When combined with #3, having an auditable paper vote record, this substantially reduces the risk of a malicious actor delegitimizing an election.
- Embed auditing at points in the process where data integrity and accuracy are critical; for example, with voter registration records.
- Make post-election audits standard practice, using paper records to confirm electronic results.
5. Implement strong passwords and two-factor authentication. Malicious actors frequently use stolen user credentials (e.g., username and password) to infiltrate networks. Although strong passwords are important, two-factor authentication is one of the best defenses against account compromise. Two-factor authentication typically requires a user to present something they know (a username/password) and something they have (such as another associated device or token) in order to access a digital account. Only by having both of these things will the user confirm their identity and be able to gain access to the system.
- Require strong passwords not only for official accounts but also for key officials’ private email and social media accounts. For your passwords, create SomethingReallyLongLikeThisString, not something really short like Th1$. Contrary to popular belief, a long string of random words without symbols is more difficult to break than something short, with lots of $ymB01$.
6. Control and actively manage access. Everyone with access to the computer network can become a target and often only one target needs to be compromised for an attack to succeed. The more people who can use a system, and the broader their access rights, the greater the opportunities for malicious actors to steal credentials and exploit them.
- Limit the number of people with access to the system to those who need it to complete their jobs (the “who”).
- Restrict what each user is authorized to do using the principle of “least privilege,” meaning give users the minimum level of access that they require to perform their jobs (the “what”). For example, not every official from County A needs the ability to view or modify voter registration records in County B.
- Quickly remove those who no longer need access, regardless of their privilege level. Make this a part of standard offboarding procedures for staff.
7. Prioritize and isolate sensitive data and systems. Risk is where threats and vulnerabilities meet. To reduce risk, officials need to think about what vulnerabilities will cause the most damage, given the threat environment. Officials consider two things when making a risk assessment: (1) what data is most sensitive and (2) what disruption could be most damaging to voters’ trust in the election. They should then prioritize mitigating the vulnerabilities that could lead to this damage by isolating and protecting these systems the most. Every part of the system is important, but a good security strategy will determine which systems are most sensitive and prioritize efforts there, since these extra protections create operational hurdles and increase costs.
- Configure devices with sensitive data to only be used for their specific purpose in the elections process (e.g., the software on a vote tallying computer is only what is necessary to run the election management system; or it operates on an isolated network so all wifi/bluetooth is disabled).
- Restrict the use of removable media devices (e.g., USB/thumb drives, compact discs) with these systems. A “one way, one use” policy is best.
8. Monitor, log, and back up data. Monitoring, logging, and backing up data enables attack detection and system or data recovery after an incident. When it comes to monitoring, a combination of human and technical means is best. Local officials highly knowledgeable about their jurisdictions can identify many irregularities. However, this alone may leave gaps in detecting attacks. Automated forms of data monitoring, especially at the state level to detect cross-county patterns, are critical for detecting anomalies and highlighting when manipulation or intrusion occurs.
- Log any changes to the voter registration database, and monitor the database with both a human check and anomaly detection software.
- The adage is that “your data is only as good as your last backup.” This means that (1) backups should be regularly performed, either through automation or as part of a scheduled manual process, (2) backups should be read-only once created to prevent data corruption, and (3) backups should be regularly tested by performing a complete restore from backed-up data. Database technology vendors provide guidance and best practices specific to their technology and database architecture for validating and testing restoration of backups; consult these recommendations when developing your plan. In addition to those recommendations, ensure backups are stored in a different physical location than the master database and are physically secured.
9. Require vendors to make security a priority. In many states, vendors design and maintain hardware and software that affect voter registration, vote capture and tallying, electronic pollbooks, election night reporting, and public communication. In our nationwide security survey, 97% of states and territories used a vendor in some capacity. Some vendors service multiple states— meaning an attack on one vendor could affect many elections. Conversely, smaller vendors may not dedicate the necessary resources to cybersecurity, making them unable to defend against sophisticated attacks…
- Include explicit security stipulations in requests for proposals, acquisition, and maintenance contracts to ensure that vendors follow appropriate security standards, and guarantee state and local governments’ ability to test systems and software.
- Remember that skepticism is healthy. Verify security claims of vendors with independent analysis or reports from trained professionals.
- Require vendors to provide notification of any system breach immediately after they become aware of it.
10. Build public trust and prepare for information operations. Communication is the cornerstone of public trust. Transparency and open communication will counter information operations that seek to cast doubt over the integrity of the election system. For additional information on communication strategies and planning see the D3P “Election Cyber Incident Communications Coordination Guide” and “Election Incident Communications Plan Template”.
- Communicate repeatedly with the public to reinforce the message that integrity is a top priority.
- Before elections are held, start informing the public about cybersecurity threats, the steps taken to counter them (withhold specific details that could aid an attacker), and your readiness to respond in the event of an attack.
- Establish processes and communications materials to respond confidently and competently in the event of an attack.
- Build relationships with reporters, influencers, and key stakeholders to establish trust and have good communications channels before an incident occurs. It is especially important to do this with candidates and party officials.
- Routinely monitor social media, email accounts, and official websites, and establish points of contact with social media firms (e.g., Facebook, Twitter) to enable quick recovery of hacked accounts.
It’s obvious that cybersecurity is now a mission critical skill for election officials; as the formal structures emerge for detecting and sharing information about existing or potential threats, it’s encouraging to see efforts like Belfer’s Playbook which gives front-line administrators guidance about what to do RIGHT NOW and EVERY DAY. Kudos to everyone involved in compiling and supporting the Playbook … it’s a welcome source of support in an often-overwhelming cybersecurity environment.
Be careful out there … and stay tuned!