The rise of attacks on government agencies and election security threats have increased cybersecurity responsibilities for public sector officials, according to experts.
According to Vermont Secretary of State Jim Condos, secretaries of state around the country are not just doing the work necessary to ensure election security, but they are also looking at ways to strengthen their organization’s overall cybersecurity posture. Condos, who also serves as the president of the National Association of Secretaries of State, spoke at the Route Fifty Cybersecurity Roadshow in Boston last week, which focused on public sector threats.
“I never thought cybersecurity would be a big part of my role, as it has become,” Condos said in his keynote. “As public sector officials, we have a responsibility to do everything we can to protect the private data of the people we serve. As secretaries of state, we take to work with protecting our election integrity with incredible seriousness, and we act rapidly when a situation presents itself.”
But effective cybersecurity takes diligence and vigilance — and funding, Condos informed attendees.
While meeting the constant demands for updated equipment and ongoing cybersecurity upgrades requires funding that is too often limited, he said, the designation of election systems as critical infrastructure has opened up additional federal resources for the states.
Adequate funding helps states enhance efficiency and security, purchase new systems, implement additional cybersecurity tools and hire additional IT professionals, he said.
“States need ongoing sustainable funding from Congress so we can keep innovating and evolving, while doing the daily work necessary to defend our system sustainably into the future,” he said. “We need sustainable funding to allow states to plan and implement election security enhancements and to counter emerging cybersecurity threats.”
Information sharing is critical to election security, and associations like the Election Infrastructure Subsector Government Coordinating Council and Election Infrastructure-ISAC (EI-ISAC) have enabled federal, state and local officials to share resources and information regarding election security, he said. It has also improved communications, he added.
“We are working to improve threat information sharing, communications protocols, update elections sector-specific plans, while developing additional resources for our state and local election officials,” Condos said.
Combating misinformation and disinformation on social media is another challenge that public sector officials face today, he said.
“Often, the true goal for foreign adversaries and cyberactors are not just to get into our systems and [cause] damage, but also to sow chaos and discord through public perception,” he said.
Jim CondosVermont secretary of state
State officials are working with social media companies like Facebook and Twitter to improve reporting channels, he said.
Condos highlighted partnerships with the Department of Homeland Security (DHS), FBI and other intelligence agencies to educate voters about election security and why they should rely on state and local election officials as trusted sources for election information.
States have also built partnerships with the DHS and private sector companies to conduct cyberhygiene scans, risk and vulnerability assessments, and penetration testing.
“One of my requirements is that we don’t use the same company for penetration testing two times in a row, so you get a different set of eyes,” he said.
Condos advised investing in training, putting increased resiliencies into place, and developing contingency plans for attacks and breaches.
“Remember, if it’s a computer, they can be hacked … and this is why we need to prepare, monitor and plan to mitigate,” Condos said.
Addressing the evolving threat landscape
David Farrell, cyber program assistant special agent in charge at the FBI’s Boston field office, spoke on a panel at the Route Fifty event about the bureau’s role in ensuring election security. Farrell said the Foreign Influence Task Force, created in 2017, serves as a means to garner partnerships with local, state and federal representatives to share information and best practices about election security, and it helps in staying a step ahead of adversaries.
The Defending Digital Democracy Project (D3P) at the Belfer Center in Harvard Kennedy School focuses on helping state and local election officials to develop strategies, tools and technology to protect democratic processes.
D3P’s Maria Lynch said while cybersecurity can seem daunting for those starting out, it is possible to gain literacy in this space.
“A lot of it is about culture process, and then planning how you want to implement and how you want to respond,” Lynch said.
According to Volpe National Transportation Systems Center information security specialist Brendan Harris, organizations like the National Cybersecurity Center of Excellence can also be a resource for local and state governments.
“If you want to pilot a secure election system, for example, you can work with them to develop what would be a template for that. You would then do a pilot, and that research becomes available to other states who might want to mimic what you did,” Harris said.
State and local governments can also partner with Information Sharing and Analysis Centers, said Shannon LeColst, cybersecurity liaison at Metro Boston Homeland Security Region for the city of Boston. Associations like Multi-State-ISAC and EI-ISAC can help improve the overall cybersecurity health of their organization, LeColst added.
“Just knowing that those services are available is often the first step, because a big disconnect is understanding that there are resources and they’re available to them,” LeColst said. “The more we work together, the more we can change the culture and the underlying idea that it’s not just a technology problem.”