Recent elections highlighted the importance of strong election security. But much of good election security is also just good cybersecurity — and lessons learned point the way to best practices for government at all levels.
During Wednesday’s GovLoop online training entitled “What You Can Learn About Security from Elections,” we spoke with two experts on elections and cybersecurity who shared their experiences and offered tips for tightening election systems:
- Deborah Blythe, Former Chief Information Security Officer, State of Colorado, Executive Public Sector Strategist, Crowdstrike
- Tonya Rice, Former Director of Elections, Cook County, IL, Elections Vertical Strategy Leader, Amazon Web Services
Use the cloud
2016 was critical for the Cook County elections department, said Rice. “We modeled best practices for cybersecurity, and during that time, I really saw the value of the cloud for standardizing security, operations, and scalability.”
“As agencies modernize their systems, they often adopt the cloud,” Blythe added. “Using the cloud offloads part of the security burden onto providers who are experts at it. “You want to use cloud partners to make sure you’re implementing optimum security.”
Partner with others, in both government and industry
“No state or county should try to tackle these complex issues on their own,” said Rice. “Partnerships allow election administrators to focus on the core needs of the electorate, instead of building and maintaining the underlying infrastructure.”
“Counties have so few resources,” Blythe concurred. “Partner with the private sector and other agencies. You can’t take on that volume of work all by yourself.”
In Colorado, for instance, Blythe worked not only with industry vendors, but with the National Guard, which provided support for conducting the elections, including preparation and security assessment.
Look for resources to leverage your efforts
As short as local resources may be, there is help available, both speakers said.
- The US Election Assistance Commission administers Help America Vote Act (HAVA) grant funds to help localities meet voting systems standards.
- Organizations like the Cybersecurity and Infrastructure Security Agency (CISA), the Electricity Information Sharing and Analysis Center (E-ISAC) and the National Institute of Standards and Technology (NIST) provide guidelines, standards, and general information for enhancing cybersecurity across government agencies.
For example, just this week, CISA released its Election Infrastructure Insider Threat Mitigation Guide, and NIST’s cybersecurity framework offers step-by-step best practices to build or improve your cybersecurity posture.
Six tips to improve security
So what specific tips did Rice and Blythe share?
- Make cybersecurity your culture. First and foremost, agencies need to appreciate the importance of secure systems.
- Roll it out, turn it on. The best protocols and systems won’t work if they’re not used. In many breaches, organizations had all the tools in place — but hadn’t rolled them out.
- Follow the 1-10-60 rule. Have the power to detect a threat in the first minute, understand it in 10, and contain it in 60.
- Protect your identity. Use multi-factor verification for all accounts. Protect service and administrative accounts, too, so attackers can’t just log in.
- Control remote access. Systems that don’t need internet access shouldn’t have it.
- Practice good cyber hygiene. Control the software allowed on your systems and eliminate unneeded software. Stay up to date on patches.
Following these security steps will go a long way to keeping elections safe and secure, Rice and Blythe said. And that’s a goal we all can share.
This online training brought to you by:
Leave a Reply
You must be logged in to post a comment.