8 Steps Toward Safer Elections
Here’s some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt9b48b5d0edeeeeae/64f0d6a5f7744da3bde7462e/Slide1CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
It's time to think of securing elections the same way we think about securing our businesses and government agencies. Election systems, like all other entities today, are open to cyberattack. So election and government officials have to learn from their corporate counterparts and put a plan in place to achieve a successful election.
"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk’s Office in Illinois. In an April 16 email sent out to his election colleagues in Illinois, Praetz outlined some best practices and options for local elections officials.
"What we need more than anything are professional security people, boots on the ground who can help institute best practices," Praetz says.
The federal Election Assistance Commission made available $380 million earlier this year for states to improve and modernize their election systems. But Praetz cautions that EAC only allocated funding for this year under the Help America Vote Act of 2002. He says much more is needed over successive years to deliver what’s needed to the nation’s 8,800 election districts.
While it's unclear that more financial help will be authorized beyond this year, the Department of Homeland Security has been more open in the past several weeks about the need for increased election security leading up to November's Congressional elections.
In testimony earlier this week before the House Committee on Oversight and Government Reform, undersecretary Christopher C. Krebs told lawmakers that DHS has prioritized voluntary cybersecurity assistance for election infrastructure similar to what's provided to numerous other sectors that have been designated as critical infrastructure, such as the financial sector, defense industry, and electric utilities. DHS designated election infrastructure a critical subsector in January 2017.
Krebs said DHS has been working with the EAC and other state and local partners to strengthen the security of election systems nationwide, noting in his testimony that DHS will continue to offer a broad range of services, such as cybersecurity hygiene scans, risk and vulnerability assessments, and incident response assistance.
The EAC money has served as a good start, but there are thousands of election districts across the country that are lucky to have one IT support person, let alone a $250,000-a-year threat hunter with a CISSP or other important security credentials. While DHS and other groups are available to help, there’s insufficient support for a much stronger national effort.
A comment from Maria Benson, communications director of the National Association of Secretaries of State, gives some insight into how difficult it would be to forge a national effort. When asked what the status was in Washington of developing a national set of guidelines for election security, Benson replied: "I do not have an opinion, nor does the association. Each state has the authority to decide how to run elections in a secure, fair manner."
In contrast, Harri Hursti, participant in the Voting Machine Hacking Village at DEFCON last year, and Cecile Shea, non-resident senior fellow for global security and diplomacy at the Chicago Council on Global Affairs, say there should be a much stronger effort at the federal level. Both Hursti and Shea say national guidelines can be developed in a way that offers states technology options, but still gives local districts control and the ability to do what suits them best.
For now, a group of Democratic Senators last month introduced the Protecting American Votes and Elections Act, legislation headed up by Sen. Ron Wyden (D-Ore.) that would require states to produce paper trails and mandatory audits. If passed into law, the bill would authorize $10 million to study, test, and develop accessible paper ballot voting, verification, casting mechanisms and devices, and voting best practices. The bill has only Democratic sponsors and no support from Republicans.
That's why Dark Reading took some time and talked to numerous state and local and industry officials to develop a feature that outlines some proactive steps governments (and private citizens) can take to make their elections this November more secure.
We talked to the following sources: Noah Praetz, director of elections, Cook County, Ill., Dr. Eman El-Sheikh, director of the Center for Cybersecurity, University of West Florida, Harri Hursti, a leader in the DEFCON election hacking effort, and Cecile Shea of the Chicago Council on Global Affairs. We also reached out and compiled valuable information via email with Harvard University's Belfer Center for Science and International Affairs, the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the Brennan Center for Justice, and Sen. Wyden's office in Washington, D.C.
Election organizations need to have a plan in place for what happens if they are hacked. Governments should identify a point person and develop a specific plan of action in terms of how the organization will respond and remediate the breach. They need to specify who will get the first call, which members of the team will be dispatched, and how the organization will return to normal operations so a credible election can take place.
Nobody operates in a vacuum today. All states, districts, and counties face the same challenges, so it makes sense to pool information. Along with the EI-ISAC, there are many other resources that governments should use in putting together election security and response plans. Some include the following: Center for Internet Security Elections Security Handbook Belfer Center at Harvard University Security Playbooks Cook County White Paper on Election Security US Homeland Security Election Services Election Assistance Commission Resources Google: Free Election Website Protections Cloudfare: The Athenian Project
About 40 states are currently using voter registration databases that were initially created well more than 10 years ago. Many of these aging databases were not designed to withstand present-day cybersecurity threats and are in grave need of an upgrade both for basic user and management functionality as well as security. The recent case in Los Angeles County in which 118,522 voters were accidentally left off polling place rosters underscores the need for governments to upgrade their voter registration databases.
Letter from Noah Praetz to fellow Illinois election administrators. Reprinted with permission. Image by Minerva Studio, via Shutterstock.:
April 16, 2018
Fellow Illinois Election Administrators,
Lost in the talk of election hacking, and the state and federal responses, has been the fact that local election officials actually run elections - from beginning to end. And because we run them we are the ones who are tasked with securing the digital systems we rely upon, from websites to vote counting computers. The vulnerabilities to these digital systems are real. And so is the slippery threat from our adversaries. The bad guys just did major damage with a cyberattack against the City of Atlanta. Ask Uber or Equifax, HBO or Sony how difficult digital defense can be.
I am the co-chair of the council US Homeland Security setup in the wake of the interference last year. I sit alongside the president of the National Association of State Election Directors (NASED), the President of the National Association of Secretaries of State (NASS), the Chair of the Election Assistance Commission (EAC), and the head of the National Infrastructure Program Protection Directorate (NPPD). Sitting with those four, I represent the nine locals on the Council and you, the local election officials of Illinois and America. In that job I have advocated long and hard on our behalf; primarily to ensure attention and support gets all the way to the local level.
I have also attended a number of briefings. Make no mistake, we are the troops on the front lines. We have been warned to brace ourselves against expected cyberattacks. I imagine the thought of defending against a nation-state may be difficult - even overwhelming. It has been both for me. Even in an office of our size, Cook County, we decided to hire an Elections Infrastructure Security Officer to make sure we get this right. I know how incredibly tight your budgets are and the huge list of responsibilities you each carry, as executives, experts and line workers. Your capacity and responsibilities amaze me.
There are a number of relatively easy things you can do now to help increase your defenses, and also answer the question which will inevitably come your way:
"What have you done since 2016 to increase your security?"
Please start by doing/considering these five things....
1.) Sign-up for free threat information sharing services:
A.) The Election Information Sharing & Analysis Center (EI-ISAC). This first of its kind partnership is designed to provide election officials with near real time information sharing and threat analysis with regard to election systems. https://learn.cisecurity.org/ei-isac-registration
B.) The Illinois Statewide Terrorism Intelligence Center (STIC) - [contact information redacted]
C.) The Multi-State Information Sharing & Analysis Center (MS-ISAC) (transitioning to Elections-ISAC) https://learn.cisecurity.org/ms-isac-registration
2.) Print, read and understand election security best practice documents
A.) Center for Internet Security Elections Security Handbook - https://www.cisecurity.org/elections-resources/
B.) Belfer Center at Harvard University - Defending Digital Democracy Program - Security Playbooks - https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook
C.) Cook County White Paper on Election Security - "2020 Vision: Election Security in the Age of Committed Foreign Threats" - https://www.cookcountyclerk.com/sites/default/files/pdfs/Election%20Security%20White%20Paper_Praetz_12062017.pdf
3.) Use free technical resources
A.) US Homeland Security Election Services - https://www.eac.gov/assets/1/6/DHS_Cybersecurity_Services_Catalog_for_Election_Infrastructure.pdf
<1.) cyber hygiene - free and fast
2.) Phishing Campaign - Free and Fast
B.) Election Assistance Commission Resources - https://www.eac.gov/election-officials/election-security-preparedness/
C.) Cloudflare - Free Election Website Protections - https://www.cloudflare.com/athenian-project/
D.) Google - Free Election Website Protections - https://protectyourelection.withgoogle.com/intl/en/
4.) Get cyber security training for you and your staff
A.) In development from the state and federal resources
5.) Advocate for direct assistance in navigating this cyber minefield
Good luck. We have just over six months until the midterms.
Best,
Noah
Noah Praetz
Director of Elections
Office of Cook County Clerk, David Orr
69 West Washington Street, Suite 500
Chicago, IL 60602
312.603.0942
312.520.2833 mobile
312.603.9786 fax
web: www.cookcountyclerk.com
Letter from Noah Praetz to fellow Illinois election administrators. Reprinted with permission. Image by Minerva Studio, via Shutterstock.:
April 16, 2018
Fellow Illinois Election Administrators,
Lost in the talk of election hacking, and the state and federal responses, has been the fact that local election officials actually run elections - from beginning to end. And because we run them we are the ones who are tasked with securing the digital systems we rely upon, from websites to vote counting computers. The vulnerabilities to these digital systems are real. And so is the slippery threat from our adversaries. The bad guys just did major damage with a cyberattack against the City of Atlanta. Ask Uber or Equifax, HBO or Sony how difficult digital defense can be.
I am the co-chair of the council US Homeland Security setup in the wake of the interference last year. I sit alongside the president of the National Association of State Election Directors (NASED), the President of the National Association of Secretaries of State (NASS), the Chair of the Election Assistance Commission (EAC), and the head of the National Infrastructure Program Protection Directorate (NPPD). Sitting with those four, I represent the nine locals on the Council and you, the local election officials of Illinois and America. In that job I have advocated long and hard on our behalf; primarily to ensure attention and support gets all the way to the local level.
I have also attended a number of briefings. Make no mistake, we are the troops on the front lines. We have been warned to brace ourselves against expected cyberattacks. I imagine the thought of defending against a nation-state may be difficult - even overwhelming. It has been both for me. Even in an office of our size, Cook County, we decided to hire an Elections Infrastructure Security Officer to make sure we get this right. I know how incredibly tight your budgets are and the huge list of responsibilities you each carry, as executives, experts and line workers. Your capacity and responsibilities amaze me.
There are a number of relatively easy things you can do now to help increase your defenses, and also answer the question which will inevitably come your way:
"What have you done since 2016 to increase your security?"
Please start by doing/considering these five things....
1.) Sign-up for free threat information sharing services:
A.) The Election Information Sharing & Analysis Center (EI-ISAC). This first of its kind partnership is designed to provide election officials with near real time information sharing and threat analysis with regard to election systems. https://learn.cisecurity.org/ei-isac-registration
B.) The Illinois Statewide Terrorism Intelligence Center (STIC) - [contact information redacted]
C.) The Multi-State Information Sharing & Analysis Center (MS-ISAC) (transitioning to Elections-ISAC) https://learn.cisecurity.org/ms-isac-registration
2.) Print, read and understand election security best practice documents
A.) Center for Internet Security Elections Security Handbook - https://www.cisecurity.org/elections-resources/
B.) Belfer Center at Harvard University - Defending Digital Democracy Program - Security Playbooks - https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook
C.) Cook County White Paper on Election Security - "2020 Vision: Election Security in the Age of Committed Foreign Threats" - https://www.cookcountyclerk.com/sites/default/files/pdfs/Election%20Security%20White%20Paper_Praetz_12062017.pdf
3.) Use free technical resources
A.) US Homeland Security Election Services - https://www.eac.gov/assets/1/6/DHS_Cybersecurity_Services_Catalog_for_Election_Infrastructure.pdf
<1.) cyber hygiene - free and fast
2.) Phishing Campaign - Free and Fast
B.) Election Assistance Commission Resources - https://www.eac.gov/election-officials/election-security-preparedness/
C.) Cloudflare - Free Election Website Protections - https://www.cloudflare.com/athenian-project/
D.) Google - Free Election Website Protections - https://protectyourelection.withgoogle.com/intl/en/
4.) Get cyber security training for you and your staff
A.) In development from the state and federal resources
5.) Advocate for direct assistance in navigating this cyber minefield
Good luck. We have just over six months until the midterms.
Best,
Noah
Noah Praetz
Director of Elections
Office of Cook County Clerk, David Orr
69 West Washington Street, Suite 500
Chicago, IL 60602
312.603.0942
312.520.2833 mobile
312.603.9786 fax
web: www.cookcountyclerk.com
It's time to think of securing elections the same way we think about securing our businesses and government agencies. Election systems, like all other entities today, are open to cyberattack. So election and government officials have to learn from their corporate counterparts and put a plan in place to achieve a successful election.
"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk’s Office in Illinois. In an April 16 email sent out to his election colleagues in Illinois, Praetz outlined some best practices and options for local elections officials.
"What we need more than anything are professional security people, boots on the ground who can help institute best practices," Praetz says.
The federal Election Assistance Commission made available $380 million earlier this year for states to improve and modernize their election systems. But Praetz cautions that EAC only allocated funding for this year under the Help America Vote Act of 2002. He says much more is needed over successive years to deliver what’s needed to the nation’s 8,800 election districts.
While it's unclear that more financial help will be authorized beyond this year, the Department of Homeland Security has been more open in the past several weeks about the need for increased election security leading up to November's Congressional elections.
In testimony earlier this week before the House Committee on Oversight and Government Reform, undersecretary Christopher C. Krebs told lawmakers that DHS has prioritized voluntary cybersecurity assistance for election infrastructure similar to what's provided to numerous other sectors that have been designated as critical infrastructure, such as the financial sector, defense industry, and electric utilities. DHS designated election infrastructure a critical subsector in January 2017.
Krebs said DHS has been working with the EAC and other state and local partners to strengthen the security of election systems nationwide, noting in his testimony that DHS will continue to offer a broad range of services, such as cybersecurity hygiene scans, risk and vulnerability assessments, and incident response assistance.
The EAC money has served as a good start, but there are thousands of election districts across the country that are lucky to have one IT support person, let alone a $250,000-a-year threat hunter with a CISSP or other important security credentials. While DHS and other groups are available to help, there’s insufficient support for a much stronger national effort.
A comment from Maria Benson, communications director of the National Association of Secretaries of State, gives some insight into how difficult it would be to forge a national effort. When asked what the status was in Washington of developing a national set of guidelines for election security, Benson replied: "I do not have an opinion, nor does the association. Each state has the authority to decide how to run elections in a secure, fair manner."
In contrast, Harri Hursti, participant in the Voting Machine Hacking Village at DEFCON last year, and Cecile Shea, non-resident senior fellow for global security and diplomacy at the Chicago Council on Global Affairs, say there should be a much stronger effort at the federal level. Both Hursti and Shea say national guidelines can be developed in a way that offers states technology options, but still gives local districts control and the ability to do what suits them best.
For now, a group of Democratic Senators last month introduced the Protecting American Votes and Elections Act, legislation headed up by Sen. Ron Wyden (D-Ore.) that would require states to produce paper trails and mandatory audits. If passed into law, the bill would authorize $10 million to study, test, and develop accessible paper ballot voting, verification, casting mechanisms and devices, and voting best practices. The bill has only Democratic sponsors and no support from Republicans.
That's why Dark Reading took some time and talked to numerous state and local and industry officials to develop a feature that outlines some proactive steps governments (and private citizens) can take to make their elections this November more secure.
We talked to the following sources: Noah Praetz, director of elections, Cook County, Ill., Dr. Eman El-Sheikh, director of the Center for Cybersecurity, University of West Florida, Harri Hursti, a leader in the DEFCON election hacking effort, and Cecile Shea of the Chicago Council on Global Affairs. We also reached out and compiled valuable information via email with Harvard University's Belfer Center for Science and International Affairs, the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the Brennan Center for Justice, and Sen. Wyden's office in Washington, D.C.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024