Security Risk in Election Technology Procurement#

Assessing Risk#

All IT has risks. Efforts to mitigate some risks inevitably leave other risks unaddressed. Leaders must determine which risks are acceptable in the face of limited resources. To understand and prioritize their risks, all organizations should conduct regular risk assessments. Risk assessments can be sorted into two categories:

  1. Self-assessments: In-house risk assessments are generally faster and less expensive while still providing useful insight into your cybersecurity posture. Good self-assessment options include the National Cybersecurity Review (NCSR) and the CIS Controls Self Assessment Tool (CSAT). EI-ISAC members can also use tools through CIS’s SecureSuite, which is free to all members. You can also use the Essential Guide to Election Security to help determine the appropriate best practices against which to assess your organization.

  2. Independent assessments: Because they are conducted by outside assessment specialists, independent assessments usually cost more and take longer, but they are more objective and thorough. Where time and resources permit, they are preferable even when an organization has deep cybersecurity experience.

Risk Assessments

Organizational Risk#

Risks in election infrastructure vary, but one defining characteristic is the type of connections it has with a networks or the internet. CIS has identified that the highest level of risk stems from those systems that are network-connected. That is, they are connected to any network (not just the internet) at any time. This network-connected category of risk includes most voter registration and election night reporting systems, and may also include ePollbooks, and, other non-voting election technology.

Systems not connected to a network still require careful assessment and prioritized mitigation of risks. These indirectly connected systems are never connected to a network. The exchange of data between them, and with other systems, occurs indirectly through removable media such as USB drives. Voting machines and tabulators typically fall in this category.

Beyond network-connected and indirectly connected systems and devices, an additional area of risk involves the transmission of data between systems. For example, ballot definitions and PDFs may be well-protected in the jurisdiction’s systems but have risk introduced when they are emailed to a third-party to be physically printed.

These risks can and should be managed, and part of that process is understanding and managing cybersecurity risk in IT procurement.

System Categorization

Individual System Risk#

Most security controls impose a cost of some kind, whether time, money, reduced access or usability, or all of the above. Mandating that a vendor implement all possible security controls is often impractical or will undermine business objectives. This makes it critical to determine the right set of controls for any given system.

For that reason, we don’t recommend applying all of the best practices in this guide to every system. Rather, some best practices should be implemented on all systems, others only on operational systems, and some only on critical systems. For instance, some basic website security measures should be applied to any system (so long as it has a website), while there are some advanced malware detection approaches that are expensive and difficult to implement and thus we recommend them for only critical systems.

One way to think about the application of these best practices is by considering whether a system is critical or operation. Operational systems should have more rigorous protections, while critical systems should have even the most stringent protections applied, so long as they are applicable to the system. The best practices have recommendations according to these three categories:

  1. All systems: The best practice is a reasonable investment to expect for any type of election system. It is vital to ensure mitigation of the most common threats.

  2. Operational systems: The best practice is a reasonable investment for systems that are important to successful election operations and thus carry greater risk. Systems with other security mitigations, backups, etc., may not need this best practice. Procurements of all critical systems and those with relatively high risks should implement the best practice.

  3. Critical systems: The best practice is necessary only for critical systems, which is those with the highest consequence of a successful attack. These are typically the most expensive and difficult to implement best practices; requiring them will likely have an appreciable impact on the cost of your procurement but are likely necessary to reduce risk to an acceptable level.

These classifications serve as a starting point for differentiating between different types of systems in the elections technology procurement but should be tailored to meet the needs of a specific environment.

Best Practices