The Council of State Governments
://Election Cybersecurity Initiative Guide
:// BACKGROUND In 2016, there were reports of election cybersecurity incidents around the country, from the scanning of state systems to attempted penetration of the voter registration system in Arizona to the breach of voter data in Illinois. While the election results were unaffected, gaps in response protocols and communication strategies for state agencies responsible for information technology and elections. In two short years, government at all levels has quickly responded to this issue. For example, the U.S. Department of Homeland Security, or DHS, is working directly with other federal, state and local governments to assist jurisdictions with election cybersecurity through its National Protection and Programs Directorate, or NPPD. In January 2017, election infrastructure was designated as part of the nation’s critical infrastructure. Under this designation, DHS—through the NPPD—provides an array of services that state and local election officials can utilize to reduce both cyber and physical risk to their election systems and facilities. In October 2017, the Elections Infrastructure Government Coordinating Council, or GCC, was established. The GCC is made up of federal officials and state and local election officials to address issues pertaining to the new critical infrastructure designation for elections. The GCC goals and objectives cover information sharing, increasing capacity and resources for election administration. The GCC approved a Communications Protocol1 document in July 2018 for information sharing between federal, state and local officials. In March 2018, the Elections Infrastructure Information Sharing and Analysis Center, or EI-ISAC, was established.2 This ISAC was formed under the umbrella of the Multi-State Information Sharing and Analysis Center, or MS-ISAC. The EI-ISAC shares election-specific information with state and local election officials. Albert sensors were made available to states for their election networks. These sensors monitor traffic on election networks and notify states when malicious indicators are present. This information is then shared with all EI-ISAC members. Many local jurisdictions also now have Albert monitors on their networks. All 50 states and over 1300 local jurisdictions are members of the EI-ISAC and work will continue to sign-up more local jurisdictions. Additionally, the Help America Vote Act, or HAVA, fund disbursement through the Consolidated Appropriations Act of 2018, authorized under Title I Section 101 of HAVA, began providing states with additional resources to secure and improve the U.S. election system in March 2018. This funding has been distributed to all states and territories through the U.S. Election Assistance Commission, or EAC, so that states can use these federal funds to enhance their individual state election cybersecurity programs.3 Many other organizations have responded to the need for increased election cybersecurity programs including the Center for Internet Security, or CIS,4 and the Harvard Belfer Center and have developed comprehensive resources the elections community has embraced.5 However, without the adoption of a specific and inclusive protocol or a communications strategy surrounding election cybersecurity at the state and local level, valuable time can be lost addressing an incident and communicating the issue to other stakeholders and the public. Equally serious is the impact a chaotic response, with its accompanying confusion, could have on the public’s faith in our election system, the bedrock of our democracy. Several state associations—the National Association of Secretaries of State, or NASS, the National Association of State Chief Information Officers, or NASCIO, the National association of State Election Directors, or NASED, and the National Governors Association, or NGA—worked together with DHS to compile and update Point of Contact Sheets for Election Day. Contact Sheets for each state included the chief state election official, state election director, elections Information Technology, or IT, director, Chief Information Officer, or CIO, Chief Information Security Officer, or CISO, Chief Technology Officer, or CTO, homeland security director, DHS state cybersecurity advisor and protective security advisor, DHS regional director, DHS intelligence officer and DHS critical infrastructure specialist. Our work through the CSG Election Cybersecurity Initiative seeks to improve intrastate election cybersecurity coordination and communication and expand and help improve implementation existing protocols. https://www.dhs.gov/topic/election-security https://www.cisecurity.org/ei-isac/ 3 https://www.eac.gov/payments-and-grants/hava-funds-state-chart-view/ 4 https://www.cisecurity.org/elections-resources/ 5 https://www.belfercenter.org/ 1
2
3
:// ADVISORY GROUP While many stakeholders have responded to provide resources to help guide federal-state operations related to election cybersecurity, less attention has been paid to opportunities to evaluate and improve intrastate communications in this area. To help states address these increasingly complex concerns, The Council of State Governments, or CSG, created the CSG Election Cybersecurity Initiative. Key to this effort is an advisory group of state and local officials and cybersecurity and election experts. The advisory group guided CSG’s efforts throughout the initiative and has played a key role in in developing the curriculum and goals for the overall effort.
The CSG Election Cybersecurity Initiative Advisory Group consists of the following representatives: •
DAVID BEIRNE, director, Federal Voting Assistance Program
•
DAVID FORSCEY, policy analyst, Homeland Security & Public Safety Division, National Governors Association
• • • • • • • • • • •
AMY COHEN, executive director, National Association of State Election Directors ROBERT GILES, director, Division of Elections, New Jersey Department of State KATHLEEN HALE, member, Election Center board of directors
JOSEPH HALL, chief technologist, Center for Democracy & Technology TOM HICKS, chairman, U.S. Election Assistance Commission
GEMA HOWELL, computer scientist, National Institute of Standards and Technology, U.S. Department of Commerce YEJIN JANG, director of government affairs, National Association of State Chief Information Officers MATT MASTERSON, senior cybersecurity adviser, U.S. Department of Homeland Security NOAH PRAETZ, director of elections, Cook County, Illinois Clerk’s Office
LESLIE REYNOLDS, executive director, National Association of Secretaries of State
BRAD STEELE, treasurer of the National Association of State Technology Directors, senior director of unified communications for the Executive Office of Technology Services and Security, Massachusetts
The CSG Election Cybersecurity Initiative team met with the project advisory group twice during the winter and early spring of 2018 in all-day planning sessions to outline the program and undertake strategic brainstorming exercises to determine how to best engage the election community when many federal and state agencies, academic institutions, nonprofits and other stakeholder groups were already working on various aspects of the election cybersecurity issue.
4
:// MISSION
:// STATE SELECTION
The CSG Election Cybersecurity Initiative team and project advisory group determined that serving as a national resource for comprehensive election cybersecurity communications information would be beneficial and best leverage CSG’s state relationships and track record of serving the states in all three branches of government. The work should be accessible by state and local election officials, state legislators, governors’ offices, state technical resources such the state CIO or CTO and other stakeholders whose functions directly or indirectly affect elections. Based on the project advisory group’s guidance, CSG organized a multi-state exercise whereby intrastate agency relationships and communication protocols surrounding election cybersecurity breaches were explored and mapped for individual states.
Eight focus states for this project were selected by CSG Election Cybersecurity Initiative team together with the project advisory group, representing CSG’s four geographic regions—two states from each region—as well other election technology, election administration process differences, and various governance structures within the states. The following states were selected for in-depth discussions with CSG project team members about their individual election cybersecurity communications protocols and relationship:
:// RESOURCE GUIDE The CSG Election Cybersecurity Initiative team and the advisory group began its mission by reviewing published election cybersecurity information from the 50 states, U.S. territories and the District of Columbia. The reviewed works included election system security research, reports and guidebooks published by federal agencies, election community associations and academic institutions to assist state and local government officials. Through this research, CSG determined that a collective unawareness existed among our project advisory group of whether a centralized registry of these important resources existed. The volume of projects and resources available that address election cybersecurity can be daunting for policymakers, state officials and state and local election officials alike. The advisory group decided that a first step for the project would be to compile a list of resources for state and local officials, including a description and links to reports or organizations. Thus, the CSG Election Cybersecurity Initiative team developed and shared the CSG Election Cybersecurity Initiative Resource Guide with states and other election community stakeholders via press release and issuance on CSG’s website during the spring of 2018. One of the key resources included in the CSG Election Cybersecurity Resource Guide is the Harvard Kennedy School Belfer Center’s Defending Digital Democracy Project, or D3P, Election Cyber Campaign Playbook series. This playbook series6 is a detailed resource, developed by D3P staff, cybersecurity and election experts, and state and local election officials. Much of the planning material and worksheets in this research brief are modified or referenced directly from that series in an effort to further aid state and local officials that touch election cybersecurity communications activities.
https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook 6
•
Illinois
•
Michigan
• • • • • •
Kentucky
North Carolina Rhode Island Utah
Vermont
Washington
It is important to note that these states were not selected due to any known election cybersecurity risks or best practices. The criteria for selection did not include perceived “good” or “bad” cybersecurity protocols or communications practices, but instead included geographic, election administration and governance differences in an effort to provide a broad sample for this research. Additionally, these states have not been ranked or graded by CSG and the results of the project team’s communications with the members of these individual state teams are presented in this report in aggregate, or with specific highlighted examples anonymized. This allowed the free-flowing of information between the officials and the CSG Election Cybersecurity Initiative team without jeopardizing any individual state’s communications processes, cybersecurity protocols or sensitive interstate relationships.
5
:// STAKEHOLDER SELECTION State Legislator Feedback The next stage of the project after developing the resource guide and selecting the participating states was to identify key stakeholders in the states that are involved with the conduct of elections, cybersecurity, or both. The CSG Election Cybersecurity Initiative team invited key stakeholders in each of the chosen eight states to participate in a series of discussions designed to map election cybersecurity communications processes and protocols in an effort to formulate intrastate best practices.
The CSG Election Cybersecurity Initiative team interviewed a bipartisan mix of state legislators from the states. Some were involved in election or cybersecurity committees in their states and others were not. Following is some key feedback: •
The CSG Election Cybersecurity Initiative team and advisory group determined that each state team would include the following individuals, at minimum: •
The state chief information officer or state technology director
•
A state election official
•
A representative from the governor’s office
•
Two legislative representatives
•
A local election official
Upon producing the resource guide, the CSG Election Cybersecurity Initiative team then conducted multiple sessions during the spring and summer of 2018 with representative members of the selected eight states, focusing on state offices that touch the elections cybersecurity function as well as representative local election officials within each of the selected states.
Over 60 individuals from the eight states participated in in-depth interviews with the CSG project team. These state teams worked with the CSG team, using the previously described Belfer Center materials, to better understand the election and cybersecurity players in their state, identify key members of their individual state Cybersecurity Communications Response Team, or CCRT, discuss communications best practice ideas, and how to develop long-term strategies for interdepartmental communication.
•
•
The resulting feedback and analysis from these conversations was grouped into specific areas as follows:
6
There was equal concern expressed by legislators over influence campaigns during the 2016 election as there was to election cybersecurity. An effort to assess the integrity of an entire election should look as much at the information voters receive through third parties as the security of the voting system, they contend. Some legislators discussed concerns over inaccurate information on social media being consumed by voters.
Legislators expressed an interest in learning more about election cybersecurity and challenges faced by state and local election officials to better serve and inform their constituents. As legislators spend significant time with their constituents, there is a strong desire among them to be as informed and knowledgeable on elections cybersecurity as they can be in order for them to help citizens maintain a level of trust in the election system.
State and Local Election Official Feedback The CSG Election Cybersecurity Initiative team interviewed chief election officials in the participating states, including secretaries of state and members of state boards of election in addition to local election officials. There was a mix of elected and appointed election officials and a mix of partisan and nonpartisan representatives. Following is some key feedback: •
:// ANALYSIS OF FEEDBACK The observations and lessons learned from the CSG Election Cybersecurity Initiative team’s extensive facilitated sessions with over 60 contacts from each of the eight states have been distilled and analyzed into this research brief so that any state can use this material to help map their intrastate communications in order to be optimally prepared in the event of an election cybersecurity breach.
There is insignificant involvement of state legislators in election cybersecurity activities. Unless they are members of a state’s election oversight committee where they appropriate funding for election functions and offices or make election law changes, state legislators play a limited role in elections or cybersecurity. That said, most are ready and willing to get involved to help in the event of a breach.
•
Election officials are eager to receive and implement election cybersecurity best practices. Elections officials are enthusiastic about finding and implementing best practices that will help to secure elections. They are very willing to learn and take advantage of available resources from their local, state and federal colleagues as well as other stakeholder groups.
Election officials are wary of technologists with limited knowledge of elections processes prescribing cybersecurity protocols. Election officials have concerns that state and local cybersecurity and information technology experts do not have the subject matter expertise in elections administration to understand the complexity inherent in the conduct of an election.
•
•
•
•
Election Officials are innovative and resourceful when it comes to information technology and communications cybersecurity. In some states and localities, election officials are taking a do-it- yourself approach to cybersecurity, taking advantage of in-house technology expertise and state technology department support, but often without the benefit of standardized software products. Also, election officials often employ lower-tech tools like two-way radios which can be essential to communications in the event technology goes down or there is a cybersecurity breach. As one election official stated, “we need to focus on basic, ‘old-school practices,’ because we won’t have a way to communicate if our technology is taken from us.” Having phone, email and fax services all supported by the same provider is seen as a weakness by some, since a failure at the provider has the potential to take all three systems offline. Creating and maintaining a list of secondary emails and mobile phone numbers for all state and local election officials was stressed in the event other services are down. States are looking to establish and enhance relationships with county/municipal associations to help facilitate election cybersecurity communication channels between the state and local jurisdictions. Communication with voters at every step of the election process is important, but communication during any type of cybersecurity breach is of utmost importance. Many state and local officials suggested that the development of a plan to be able to communicate to the public in order for them to maintain confidence in the voting process and election results was critical. Election officials are also thinking proactively about communications. One state official developed a quarterly newsletter for local election officials to keep them up to date on what’s happening nationally in the field of election cybersecurity and best practices. Others have been ramping up their social media presence and media interviews in an effort to inform voters and show transparency in the process. State election officials often face challenges in working with local election officials on election cybersecurity mitigations. In some instances, state election officials and state technology and cybersecurity experts working together still face significant obstacles in working with local election officials to further strengthen their systems. Some local jurisdictions are either unable or reluctant to run their systems on state-managed government networks, so their systems can be secured using more robust state resources. The chief election officials in some states are unable to mandate this due to political sensitivities and the rights of local jurisdictions to govern themselves.
States have differing structures and areas of responsibility that must be taken into consideration when developing election cybersecurity programs within each state. Some states report that, for example, the state CIO and/or the governor’s office has nothing to do with the operations of the secretary of state’s office where the secretary serves as the state’s chief election official. In many states, the secretary is independently elected, has their own servers and IT system and is not part of any other state system.
As one election official stated, “we need to focus on basic, ‘old-school practices,’ because we won’t have a way to communicate if our technology is taken from us.” Having phone, email and fax services all supported by the same provider is seen as a weakness by some, since a failure at the provider has the potential to take all three systems offline.
State Technologist and Cybersecurity Expert Feedback The CSG Election Cybersecurity Initiative team interviewed representatives from state CIO, CTO, CISO and IT offices in the participating states. One state interviewed also had a state cybersecurity officer who spoke with the CSG team. Following is some key feedback: •
•
Cybersecurity and information technology expertise is often lacking at the local level, where it is often the most needed. Small and rural local jurisdictions rarely have the funding or human resources needed for specialized technical or security assistance during the conduct of an election. There is significant concern about a lack of understanding, or perceived lack of understanding, among elections officials about cybersecurity. Some believe there is a lack of understanding among elections officials about potential threats or outside hacks. Some state technologists and state cybersecurity experts encourage election officials to operate on state CIO-maintained network because they have the necessary tools to prevent and detect intrusion, such as monitoring through the MS- ISAC.7 There are significant differences in the roles of state technologists and cybersecurity experts from state to state; however, in most states they play crucial roles in information technology infrastructure. The role of the state CIO or CTO differs from state to state, but even in states where they play a limited role in elections and cybersecurity, that role is crucial such as that of an internet service provider or e-mail host.
7
This feedback from state technologists was collected after the establishment of the EI-ISAC in March 2018, but it is unclear how many of state technologists and cybersecurity experts interviewed knew about their state’s involvement in it. All 50 states, DC, and Guam are in the EI-ISAC, as well as over 1300 local election offices. In addition, approximately 90% of state election offices are now monitored by CIS https://www.cisecurity.org/services/albert/
7
•
•
•
•
•
8
Federal agencies and organizations are working with state technologists and cybersecurity experts on election security. State officials report that they are communicating with federal authorities on election cybersecurity matters with organizations that include the White House Office of the CIO, the DHS, Federal Bureau of Investigation, or FBI, MS-ISAC and other agencies directly and through organizations such as National Association of State Technology Directors, or NASTD, and NASCIO. Many state C-level IT offices are working closely with state election officials, law enforcement and the National Guard in engaging the local officials to engage in risk assessment programs, penetration testing and the development of best practices in cybersecurity awareness and cyber hygiene. States also work with their state police cyber-crimes units. One state reported that they have access to their state police cyber-crimes unit's joint cyber task force which offers public and private sector cyber expertise. The task force discusses cybersecurity threats, challenges and how to meet a surge capacity in the state if needed. Many states reported working with a fusion center, which carries out intelligence gathering, analysis and dissemination of information as a locally operated center collaboratively operated by state, and local, law enforcement and the DHS and other homeland security partners.
CIOs and CTOs would like more information on the similarities and differences across states. Data privacy and breach disclosure laws, election systems, and organizational structures vary from state to state. The CIOs and CTOs feel they lack easy access to information about legislation, data schemas, organizational layout, and performance metrics, such as crisis response times, across state lines. This makes it difficult to objectively assess the efficiency of their state compared to others. CIOs and CTOs feel like every state has to recreate communication protocols and models. Secretaries of state and CIOs and CTOs should be able to draw upon standard models and protocols to help them craft models that are specific to their state.
Some technologists and security experts feel “cut out” of the election security process and feel mistrusted by election officials and other stakeholders. The complex and often politicized nature of elections in the states with regard to who has ownership of the technology solutions and who is the governing authority over election cybersecurity issues presents challenges. One state technologist report that election cybersecurity has become politicized rather than “we’re IT folks and we’re here to help.” This state technologist shared that over the last eight months there has been attempts to break down the walls and say “I’m not red or blue. I speak IT and we’re going to do the right things regarding the security of our data and election systems.” There has been progress, but it is slow and difficult.
Governor’s Office / Other State Agency Feedback The CSG Election Cybersecurity Initiative team interviewed representatives from offices of the governor in many states in addition to representatives of state attorneys general offices, state departments of justice, state intergovernmental affairs offices and other members of state executive branch departments. Following is some key feedback: •
•
Some states enjoy collaboration between the governor’s office, the attorney general, state election officials and other departments that are part of the executive branch of state government. In most, if not all states, the attorney general enforces laws dealing with computer trespass issues and provides civil and criminal remedies. Some state attorneys general are more involved than others in communication flow with state election officials. Multiple state and local offices may be communicating with DHS, FBI, and other federal agencies regarding the prevention and detection of election cybersecurity breaches and any necessary resulting actions. One state referenced that their attorney general communicates directly with DHS and state law enforcement to work out a federal-state partnership to address election security breaches and resulting litigation. Some local election offices reported working directly with DHS in addition to the state’s work with DHS.
Common Themes
Upon analysis of in-depth, facilitated discussions with more than 60 individuals representing very different functions in state and local government in eight different states, many common themes emerged. These themes represent concerns, ideas and common practices referenced by many regardless of job position or state: •
•
There is often a lack of trust and transparency among the government agencies and stakeholder groups that touch elections. Each group feels the other does not understand the nuances of the other’s area of responsibility. This can present major obstacles in filling their information technology and cybersecurity roles with regard to protecting systems. In some cases, this has translated into significant dysfunction, political tensions, legal challenges and confusion. Overwhelmingly there has been an increase in communications over the last year between state election and state information technology resources, in addition to communications between state and local offices. In many states there now exist standing meetings or conference calls on a daily, weekly, bi-weekly or monthly basis with more frequency as the November 6, 2018, election approached. Some cross-functional groups are even meeting daily. More frequent cross-functional communications opportunities build trust and cooperation among all participants and
•
•
almost all participants expressed an interest in working more closely together.
External training from election cybersecurity experts is key as this increases both confidence and competence; significant leveraging of DHS resources and Belfer Center materials is occurring in the states. Many states reported working with the Belfer Center and attending election cybersecurity training programs for their state teams and local election officials. Many states hosted spinoffs of the Belfer program with tabletop security exercises in conjunction with the DHS and other federal entities in an effort to train their staff and local election officials on election cybersecurity.
•
•
Deep concerns were expressed among almost all participants across all states regarding the funding of election administration, election technology and election cybersecurity. While there has been recent election cybersecurity funding through HAVA, it was expressed that this HAVA funding is insufficient for ongoing cybersecurity needs at the state and local level and only a fraction of what is actually needed.
:// CSG ELECTION CYBERSECURITY INITIATIVE BEST PRACTICE RECOMMENDATIONS FOR INTRASTATE COMMUNICATIONS
8
conference calls and strategy sessions with all appropriate stakeholders to and engage on new and ongoing cybersecurity threats and how to best mitigate these threats.
Maintain an accessible repository of relevant information about state laws, organizational structure, election systems, and performance metrics. This repository would allow all relevant agencies to have more detailed conversations about best practices and ideal organizational models that best position them to respond and recover from cybersecurity incidents.
A common communications mapping format across all 50 states and territories would greatly reduce the time it takes to craft new state-specific models and understand existing hierarchies and processes. By leveraging an accepted modeling standard, it would be easier for state agencies to disseminate critical information and to share communication practices among states. The products being developed by the National Institute of Standards and Technology, or NIST, Election Modeling Working Group could be used as a baseline model and a common modeling format.8 Reach out to your colleagues across the hall, across the aisle and across fields of expertise in order to optimize the intrastate election cybersecurity communications efforts within your state. Take time to learn about and understand the responsibilities and concerns of colleagues in different departments and agencies within your state.
https://collaborate.nist.gov/voting/bin/view/Voting/ElectionModeling
This initiative provided opportunities for constructive dialogue both between the CSG and state and local participants, and among state and local participants within a given state. While some discussions were conducted one-on-one between CSG team members and individual state participants, others were facilitated by CSG among a cross- section of individuals from different state and local offices that include local elections offices, state election offices IT offices, the governor’s office, legislators and cybersecurity offices. Many common themes, and suggestions for improvement in communications activities surrounding election cybersecurity emerged across all participants regardless of their state or position. Those have been merged into the following CSG Election Cybersecurity Initiative Best Practice Recommendations for Intrastate Communications: •
Communicate regularly and transparently with all appropriate state and local stakeholders whose responsibilities touch the cybersecurity processes within a state and coordinate these communication activities so that all are working collaboratively toward the same goal. Schedule regular meetings,
9
• •
•
• •
10
Take advantage of the resources available for your state and its localities from federal agencies that include DHS, NIST, EAC and others. Review election cybersecurity materials from NASS, NASED, NGA, NASTD, NASCIO, and other associations involved on this issue. These resources including the CSG Election Cybersecurity Initiative Resource Guide should be shared with cross-departmental colleagues within your state and local offices that are touchpoints on election cybersecurity issues.
Make use of the Harvard Kennedy School Belfer Center’s Election Cyber Campaign Playbook series and its materials to organize an election cybersecurity training session or tabletop exercise for your state or participate in an existing session. Invite colleagues from other states to contribute, learn and share their expertise at your event. Seek out opportunities to teach and learn within your state and outside your state. Be as transparent as possible in your election cybersecurity processes and communications activities surrounding these processes. Develop, strengthen and maintain relationships with local, state/regional, and national media, election integrity advocates, political parties and other civic organizations now so that if an election cybersecurity breach occurs, communications channels and have already been established.
://Election Cybersecurity
Resource Guide for State Policymakers
Election cybersecurity has been a hot topic for researchers, think tanks, non-profit associations, governments and other stakeholders. As a result, a flurry of research and guides have been published to assist state and local government officials as they strive to fully protect their election systems. This guide provides a list of some of those resources, including a brief summary of each and links to reports or organizational websites that contain helpful information. It is not a comprehensive list, but is a starting place for policymakers as they strive to be more informed and better prepared for the threats facing their states.
ORGANIZATIONS AND PUBLICATIONS • • • • • • • • • • • • • • • •
National Association of State Chief Information Officers (NASCIO) National Association of Secretaries of State (NASS) National Association of State Election Directors (NASED) National Association of State Technology Directors (NASTD) National Conference of State Legislatures (NCSL) National Governors Association (NGA) Center for Democracy and Technology (CDT) Center for Internet Security (CIS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) DEFCON 25 – Voting Machine Hacking Village Defending Digital Democracy (DDD), Harvard Kennedy School Belfer Center Federal Voting Assistance Program (FVAP), U.S. Department of Defense International Association of Governmental Officials (IGO) National Institute of Standards and Technology (NIST), U.S. Department of Commerce The Election Center, also known as the National Association of Election Officials U.S. Department of Homeland Security (DHS) U.S. Election Assistance Commission (EAC)
NATIONAL ASSOCIATION OF STATE CHIEF INFORMATION OFFICERS (NASCIO)
www.nascio.org
Founded in 1969, NASCIO is a nonprofit, 501(c)3 association representing state chief information officers and information technology
executives and managers from the states, territories and the District of Columbia. The primary state members are senior officials from state government who have executive-level and statewide responsibility for information technology leadership. State CIOs and their unique understanding of state government technology and systems means they will play a key role in securing election systems from cybersecurity threats.
NATIONAL ASSOCIATION OF SECRETARIES OF STATE (NASS)
www.nass.org
Representing secretaries of state across the country, NASS serves as a medium for the exchange of information between states and fosters cooperation in the development of public policy. The association has key initiatives in the areas of elections and voting and 40 members of NASS serve as their state’s designated chief election official, overseeing the conduct of elections according to law. Ensuring the integrity of the voting process is central to this role, which includes cybersecurity preparedness and contingency planning, as well as administrative and technical support for local election officials. Membership is open to the 50 states, the District of Columbia and all U.S. Territories. NASS has a page on its website devoted to election cybersecurity (https:// www.nass.org/initiatives/election-cybersecurity), which includes briefings, news, statements, positions NASS has taken on major policy initiatives and additional resources.
NATIONAL ASSOCIATION OF STATE ELECTION DIRECTORS (NASED)
www.nased.org
NASED is a nonpartisan professional organization that disseminates election administration best practices and information across the states. The association’s members are election directors from across the country who are responsible for implementing election policies, maintaining the voter registration databases, working with local election officials to ensure a successful voting experience for all voters, and more. The association’s website has a list of helpful links, including key cybersecurity resources, at (https://www.nased.org/helpfullinks/).
11
NATIONAL ASSOCIATION OF STATE TECHNOLOGY DIRECTORS (NASTD)
www.nastd.org
NASTD is a member-driven organization whose purpose is to advance and promote the effective use of information technology and services to improve the operation of state government. The association represents information technology professionals from the 50 states, divided into four regions, and the private sector. State members provide and manage state government information technology services and facilities for state agencies and other public entities, often including hospitals, prisons, colleges and universities. These members also play a strategic role in planning and shaping state government technology infrastructures and policies.
NATIONAL CONFERENCE OF STATE LEGISLATURES (NCSL)
www.ncsl.org
Since it was created in 1975, NCSL has worked to advance the effectiveness, independence and integrity of legislatures, to foster interstate cooperation and to represent states at the federal level. NCSL’s membership consists of the legislatures of the states, the District of Columbia, and the territories and commonwealths of the United States. The association has created a Task Force on Cybersecurity (https://www.ncsl.org/ncsl-in-dc/task-forces/task-force-on-cybersecurity.aspx) and a page on NCSL’s website is dedicated to election security (https://www.ncsl.org/research/elections-and-campaigns/ election-security-state-policies.aspx). The page includes articles and resources on election cybersecurity.
NATIONAL GOVERNORS ASSOCIATION (NGA)
www.nga.org
Founded in 1908, NGA is the collective voice of the nation’s governors and one of Washington, D.C.’s most respected public policy organizations. Its members are the governors of the 55 states, territories and commonwealths. To help states address the consequences of the rapidly evolving and expanding technological threats now faced by law enforcement agencies, public works and energy agencies, private financial and communications sectors and the general public, NGA launched a Resource Center for State Cybersecurity (https://www. nga.org/center/issues/resource-center-for-state-cybersecurity/). The center is co-chaired by Michigan Gov. Rick Snyder and Louisiana Gov. John Bel Edwards and will provide governors with resources, tools and recommendations to help craft and implement effective state cybersecurity policies and practices.
seeks to identify and update election cybersecurity practices and work through potential remedies in a few critical areas: state voter registration systems, election auditing, and campaign data. The center is also working to create a gap analysis of current election cybersecurity best practices compared to those practices of entities that regularly defend against nation-state threats. (https://cdt.org/campaign/election-security/)
CENTER FOR INTERNET SECURITY (CIS) AND THE MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER (MS-ISAC)
www.cisecurity.org
CIS is a non-profit group that works with the global IT community to safeguard private and public organizations against cybersecurity threats. CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is also home to the MS-ISAC (https://www.cisecurity.org/ ms-isac/), a key resource for cybersecurity threat prevention, protection, response and recovery for U.S. state, local, tribal and territorial government entities. CIS published A Handbook for Elections Infrastructure Security (https://www.cisecurity.org/elections-resources/) in February 2018. The handbook is designed to help election officials and those that manufacture, own, operate, or are otherwise involved with elections systems and their IT components, better understand and prioritize risks, understand best practices that can identify threats, detect attacks, allow for recovery from cybersecurity incidents and, ultimately, continue to provide and support systems for the execution of free and fair elections.
DEFCON REPORT
www.defcon.org
The 2017 DEFCON (hacker) conference in Las Vegas, Nevada, featured a Voting Machine Hacking Village to highlight cybersecurity vulnerabilities in U.S. election infrastructure, including voting machines, voter registration databases, and election office networks. The results of this exercise were published in a report, DEFCON 25 Voting Machine Hacking Village: Report) on Cyber Vulnerabilities, U.S. Election Equipment, Databases and Infrastructure. (https://www.defcon.org/images/defcon-25/DEF%20CON%2025%20voting%20village%20report.pdf)
DEFENDING DIGITAL DEMOCRACY (D3P), HARVARD KENNEDY SCHOOL BELFER CENTER
CENTER FOR DEMOCRACY AND TECHNOLOGY (CDT)
www.belfercenter.org/D3P
CDT, a think tank and advocacy-focused organization, is headquartered in Washington, D.C. with an international presence in London and Brussels. CDT works inclusively across sectors and the political spectrum to find tangible solutions to today’s most pressing internet policy challenges. The center’s Election Security and Privacy Project
D3P is a project of the Harvard Kennedy School Belfer Center for Science and International Affairs. The project aims to identify and recommend strategies, tools and technology to protect democratic processes and systems from cybersecurity and information attacks. In February 2018, the group published three intuitive guides related to election cybersecurity for election administrators:
www.cdt.org
12
THE STATE AND LOCAL ELECTION CYBERSECURITY PLAYBOOK
https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook Declaring that it is crucial that everyone involved in the election process—from secretaries of state and election administrators to clerks and election site workers—understand their role in protecting the process and the threats that it faces, the playbook had two goals: (1) to make the most likely and most serious cybersecurity and information operation threats understandable to everyone involved in the election process; and (2) to offer state and local election officials basic risk-mitigation strategies to counter these threats. The playbook provides background to frame the elections operating environment, offers 10 best practice principles applicable to every election jurisdiction and a list of research security insights by election system, and provides basic risk-mitigation recommendations specific to five components of the election system: voter registration databases, vote casting, vote tallying, election night reporting, and internal and public communications.
ELECTION CYBER INCIDENT COMMUNICATIONS COORDINATION GUIDE
https://www.belfercenter.org/publication/election-cyber-incident-communications-coordination-guide
This guide was designed to help coordinate and align communications across jurisdictional boundaries in an election-related cybersecurity incident that involves more than one state. Its primary purpose is to maintain (or regain) public confidence in the face of such an incident. The guide includes a set of best practices for communicating about an election-related cybersecurity incident and a process for coordinating multistate communications decision-making, including spokespeople and communications messages.
ELECTION CYBER INCIDENT COMMUNICATIONS PLAN TEMPLATE
https://www.belfercenter.org/publication/election-cyber-incident-communications-plan-template
The plan template outlines key components of a communications plan that state election officials can build out and tailor to the needs of their jurisdiction. It can also be used at the local level, particularly for large counties. A communications plan includes guidelines and template materials to help election officials respond to an election-related cybersecurity incident quickly and in a coordinated fashion during the first several days of a cybersecurity incident. The plan template is designed to be used in conjunction with the State and Local Election Cybersecurity Playbook and the Election Cyber Incident Communications Coordination Guide.
FEDERAL VOTING ASSISTANCE PROGRAM (FVAP), U.S. DEPARTMENT OF DEFENSE
www.fvap.gov
FVAP works to ensure service members, their eligible family members and overseas citizens are aware of their right to vote and have the tools and resources to successfully do so—from anywhere in the world. The director of FVAP administers the Uniformed and Overseas Citizens Absentee Voting Act, or UOCAVA, on behalf of the U.S. Secretary of Defense. UOCAVA, as amended by the Military and Overseas Voter Empowerment, or MOVE, Act, requires states to transmit requested absentee ballots to UOCAVA voters no later than 45 days before a federal election. FVAP assists voters through partnerships with the military services, Department of State, Department of Justice and election officials from 50 States, U.S. territories and the District of Columbia. FVAP conducted research (https://www.fvap.gov/uploads/FVAP/ Reports/FVAP_EVDP_20151229_final.pdf) to inform the project planning and execution of the Department of Defense’s previously mandated electronic voting demonstration requirement. Although Congress eliminated this requirement and the Department of Defense is no longer exploring program implementation in this area, FVAP believes the research and identification of outstanding questions are valuable and should be shared. Much of the supporting research may hold value for any future deliberations on the merits of remote electronic voting and information security considerations.
INTERNATIONAL ASSOCIATION OF GOVERNMENT OFFICIALS (IGO)
www.iaogo.org
iGO provides professional training and leadership development for recorders, clerk, election officials and treasurers. IGO offers members opportunities to exchange ideas, elevate standards through education, encourage legislative awareness, develop efficient ways to serve the public and promote the ethics of public service internationally. The association introduces the latest in technology and innovations to government officials while developing contacts in furtherance of their profession.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST), U.S. DEPARTMENT OF COMMERCE
www.nist.gov
NIST was established by Congress in 1901 and is part of the U.S. Department of Commerce. The agency’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities. The agency’s most recent Framework for Improving Critical Infrastructure Cybersecurity describes a voluntary risk management framework consisting of standards, guidelines and
13
best practices to manage cybersecurity-related risk (https://nvlpubs. nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf). In addition, the Help America Vote Act of 2002, or HAVA, requires the director of NIST to chair the Technical Guidelines Development Committee and to provide technical support to the committee in the development of these voluntary guidelines (https://www.eac.gov/ electionsecurity/). HAVA directs NIST to conduct an evaluation of independent non-federal laboratories to carry out the testing of voting systems and to submit recommendations of qualified laboratories to the EAC for accreditation. A NIST-EAC Cybersecurity Working Group (https://collaborate.nist. gov/voting/bin/view/Voting/CyberSecurity) has been created for the discussion and development of guidance for voting system cybersecurity-related issues, including various aspects of security controls and auditing capabilities. The guidance will inform the development of requirements for the EAC Voluntary Voting System Guidelines. Another NIST-EAC working group formed to examine the various processes necessary for the administration of an election, the Election Modeling Working Group (https://collaborate.nist.gov/voting/bin/ view/Voting/ElectionModeling), aims to define models for both common and state-specific election operations. The models will “[inform] the election public working groups and serve as a basis for use cases for other Common Data Format (CDF) efforts.” Related to this effort is the Election Glossary, which has two main goals: define all election terminology and cross-reference any related state-specific terms.
Critical Infrastructure Designation: In 2017, DHS designated U.S. election systems as critical infrastructure, which enables DHS to prioritize cybersecurity and physical assistance to election officials who request resulting in greater access to DHS information and security resources. To support the newly designated critical infrastructure sector, an Election Infrastructure Government Coordinating Council (https:// www.dhs.gov/publication/government-facilities-sector-charter) was established to inform how the DHS works with state and local jurisdictions to implement its designation of elections systems as part of the nation’s critical infrastructure. Organization and Resources: Within DHS, the National Protection and Programs Directorate, or NPPD, includes the Office of Cybersecurity and Communications, the Office of Cyber and Infrastructure Analysis and the Office of Infrastructure Protection. NPPD’s services are available at no cost to state and local government officials, are available upon request and are strictly voluntary. An April 2018 Election Infrastructure Security Resource Guide (https:// www.dhs.gov/sites/default/files/publications/DHS%20Election%20Infrastructure%20Security%20Resource%20Guide%20 April%202018.pdf) provides additional details about what DHS can offer state leaders, including contact information for the following: •
Cybersecurity Advisors: DHS’s Cybersecurity Advisors, or CSAs, are trained personnel assigned to 10 regions throughout the United States to help private-sector entities and state, local, territorial, and tribal, or SLTT, governments prepare for—and protect themselves against—cybersecurity threats. For more information, or to reach your local CSA, contact cyberadvisor@hq.dhs.gov.
•
Protective Security Advisors: Serving 73 districts in 50 States and Puerto Rico, Protective Security Advisors, or PSAs, are trained in the physical aspects of infrastructure protection and serve as the link to DHS infrastructure protection resources and the Federal Emergency Management Agency. For more information or to reach your local PSA, please contact PSCDOperations@hq.dhs. gov.
•
National Cybersecurity and Communications Integration Center: DHS’s National Cybersecurity and Communications Integration Center is a 24/7 cybersecurity situational awareness, incident response, and cybersecurity risk management center that is the national nexus of cybersecurity and communications information. The Computer Readiness Team is part of this center and has some tips on securing voter registration data on their site (https:// www.us-cert.gov/ncas/tips/ST16-001). To report an incident, contact ncciccustomerservice@hq.dhs.gov.
THE ELECTION CENTER
www.electioncenter.org
The Election Center, also known as the National Association of Election Officials, is a nonprofit organization whose mission is to promote, preserve and improve democracy. With more than 1,000 members nationwide, The Election Center touts the largest number of the state and local election and voter registration administrators as members of any elections-related organization in America. Its members are almost exclusively government employees whose profession it is to serve in voter registration and elections administration, including voter registrars, elections supervisors, city clerks/city secretaries, county clerks, county recorders, state legislative staff members, state election directors and secretaries of state for each of the individual states, territories and the District of Columbia. The Election Center has produced an Elections Security Checklist focused on risk assessment, defense and disaster recovery (https:// www.electioncenter.org/election-security-infrastructure-elections-security-checklist.html).
THE U.S. DEPARTMENT OF HOMELAND SECURITY (DHS)
www.dhs.gov
DHS was established in 2002 and combined 22 different federal departments and agencies into a unified, integrated cabinet agency. DHS resources include on-going and current information about threats, risks and vulnerability assessments, and security best practices as well as hands-on advice.
14
Additional DHS resources include cybersecurity assessments such as a no-cost, voluntary interview-based assessment to evaluate an organization’s operational resilience and cybersecurity practices; detection and prevention services such as network protection, incident response, recovery and cyber threat hunting; information exchange, including the National Cyber Awareness System; and training and career development, including cybersecurity exercises.
U.S. ELECTION ASSISTANCE COMMISSION (EAC)
www.eac.gov
The EAC was established by the Help America Vote Act of 2002, also known as HAVA, as an independent, bipartisan commission. The commission is charged with developing guidance to meet HAVA requirements, adopting voluntary voting system guidelines, and serving as a national clearinghouse of information on election administration. The commission also accredits testing laboratories and certifies voting systems, as well as audits the use of HAVA funds. The EAC has a number of resources available, including a page on election security at https://www.eac.gov/electionsecurity/, a page on election security preparedness at https://www.eac.gov/election-officials/election-security-preparedness, which lists a glossary of IT terms related to managing election technology and cybersecurity terminology, incident response best practices and checklists, and a page of detailed information about the Department of Homeland Security’s designation of election systems as critical infrastructure at https:// www.eac.gov/election-officials/elections-critical-infrastructure/.
15
www. csg.org
Acknowledgements CSG thanks the Democracy Fund for their generous sponsorship of this work. The views and conclusions expressed in this report are those of CSG and do not necessarily reflect the opinions of our funder. CSG thanks the CSG Election Cybersecurity Initiative Advisory Group members as well as the following organizations represented by these members: Center for Democracy & Technology, Election Center, Federal Voting Assistance Program, National Association of Secretaries of State, National Association of State Chief Information Officers, National Association of State Election Directors, National Association of State Technology Directors, National Governors Association, National Institute of Standards and Technology, U.S. Department of Homeland Security, and U.S. Election Assistance Commission. CSG thanks the Harvard Belfer Center, and especially Mari Dugas, whose materials were used to guide the interview process associated with this work. CSG thanks Jennifer Burnett, Jared Marcotte, Michelle M. Shafer, Sean Slone and Elizabeth Whitehouse for their contributions to this project. Finally, CSG thanks the more than 60 individuals across eight states who graciously took significant time to speak with our project team members about election cybersecurity.