This week, hackers from across the globe are gathering in Las Vegas at the annual DEF CON conference for an exercise ripped straight from news headlines — trying to hack U.S. election systems. It’s a unique exercise that has raised a lot of eyebrows in the election community. For me, it’s yet another moment to focus on the topic of election system security and the need for constant vigilance.
For all of the hype surrounding the DEF CON exercise and beyond the 2016 election system hacking attempts shaping news headlines these days, attempts to hack into government-controlled systems isn’t exactly a new concept or exercise. There were 10 federal agency cyber breaches in 2014, including targets such as the White House, State Department, Office of Personnel Management (OPM) and Nuclear Regulatory Commission. In fiscal 2016, OPM found federal agencies faced 31,000 “cyber incidents” that led to “compromise of information or system functionality.”
While each of these incidents alarms me, one hit particularly close to home, the December 2016 cyber breach of a public facing web application used by the U.S. Election Assistance Commission (EAC). As the federal commission focused on helping state and local officials administer elections, including how to prevent and respond to cyber attacks, this breach was a true test of our readiness to respond when the worst-case scenario becomes reality. While a breach is something that no entity wants to face, the experience has enhanced our commission’s knowledge and ability to serve state and local election officials as they continue their work to prevent and, when necessary, respond to cyber threats. This humbling experience resulted in tangible lessons that we now use to guide our recommendations for state and local election leaders. Here are the fundamental steps they should take:
• Secure your data: Election offices have a variety of data, including voter registration data, ballot material and precinct mapping information. Americans should know that election officials have always and continue to take the security of that data very seriously. Election officials should consistently review their data security policies with an eye toward implementing proper protection and detection techniques. This should include assessing access control policies, intrusion detection and monitoring settings, procedures for regular offline backups of all databases, as well as a review of firewall settings and encryption levels. The EAC’s checklist for election databases is a good starting point for this effort.
• Develop or update cyber incident response and recovery plans: Most election offices have robust and mature contingency plans to ensure the continued operation of an election in the case of natural disaster or man-made incidents. But plans can get stale or out of date quickly, especially when it comes to technology. Officials should not only ensure that their contingency plans include guidelines for cyber incidents, but they should consistently update these plans to reflect new threats or technological advancements. The EAC has made available an incident response checklist and additional resources to aid in the development of a complete response plan.
• Conduct a full review and audit of systems, data, processes and procedures: After every election, most state and local election offices conduct a full after-action review of the prior election. The purpose of this review is to debrief on how the process worked, identify areas of improvement and begin to prepare for the next election. In essence, every election is an opportunity to learn and improve. These post-election reviews are the perfect time to conduct a complete audit of the systems, data, processes and procedures used to run the election. The audit should also include a review of voter registration system logs, updates to chain-of-custody procedures, a re-evaluation of access controls to ensure proper access to systems for only those that need it, an update to pre-election testing and post-election auditing procedures to reflect new techniques and practices. These procedures aren’t new to election officials, but we can always do a better job of using these examinations to think about potential new threats and ways to enhance protections.
• Take advantage of all available resources: Election offices are notoriously understaffed and underresourced. As they adapt to the new threat environment, officials should take advantage of all available resources. There’s federal assistance available from the EAC, as well as the Department of Homeland Security, which offers cyber hygiene scans, training videos and other assistance. Locally, officials should coordinate with FBI field offices and seek out state-level resources such as cyber training offered by secretary of state and state chief information offices. Private resources, including cyber security scans and white hat hacking, are also available. As threats evolve, so will the types and shear number of resources available. None of us can tackle this issue alone. We must work together.
I recently told the Washington State Elections Conference that there are two kinds of motorcyclists — those who have laid their bike down and those who will. Cybersecurity threats are so troubling because hackers only have to get it right once and their targets have to prevent and respond every time. While a perfect record may not always be possible, protecting systems to the fullest extent is. As someone whose agency has “laid the bike down” and faced a cyber breach, I know that event crystalized our appreciation for cyber security readiness and incident response planning. It doesn’t matter if it is DEF CON hackers conducting an exercise or another actor actually seeking to penetrate election targets. We must remain vigilant and prepared. The future of our democracy and voter confidence depends on our readiness.
• Matthew V. Masterson is chairman of the U.S. Election Assistance Commission.