Like Cold Weather, Handle Election Security with Layers

What I’m going to tell you in this blog post is nothing new, and no secret to most cybersecurity professionals, but it nonetheless bears repeating leading up to the November US election, and really taking to heart. So here it is: if we really want to defend our election systems (as well as other IT systems), there is no magic amulet, no fairy dust-infused cloak of invisibility, no impenetrable shield you can deploy to protect yourself. There are only layers of protection you can implement that make it increasingly difficult for an attacker to reach the crown jewels of your systems.

If you endure winters like those in Chicago where I live, you might easily find yourself wearing a T-shirt under a flannel shirt under a sweater under a parka – in other words, lots of layers. The layers of cybersecurity aren’t quite that simple or easy to don, but the concept is similar. An attacker may get through one or more layers, but the more layers you have, the more likely you’ll stop the attack. So, what constitutes a layer?

If you think about your data as the core layer – for example a voter registration database that must be protected – then everything around it serves as upper layers. The server that the database runs on is a layer. The network that the server lives on is another layer. The end points, i.e. laptops, tablets, PC’s, smartphones, etc., that access the network is another layer. And finally, the people who run your operation constitute a layer. We could go into more fine-grain detail about additional layers, but I think you get the point.

In ISACA’s election security survey leading up to the November US election, 63% of respondents are not confident in the resilience of election infrastructure. The concerns are understandable; each of the aforementioned layers contain vulnerabilities that must be protected, and although it would be great if one product or one process could protect them all, no such magic bullet exists. Instead, each layer needs specialized software and processes to keep it safe (and the people layer can only be addressed though ongoing training). If you’re an election manager or elected official, it won’t be necessary for you to learn the product names of all the varied software tools that exist for each layer. But you should definitely converse with your IT team, whether they’re in-house or outsourced to a third party, to gain an understanding of the layers your operation possesses (hint: you’ll have all of ones mentioned above, plus maybe some more), and what types of protections have been implemented for each layer in your operation.

I’ll digress a bit here to address a common fear of operational managers when interacting with IT people and hoping to come away with something vaguely understandable. Your IT team may hit you with tons of jargon, but remember, you’re responsible for the operation and you’re no doubt a pretty savvy person with plenty of relevant election experience. So, my rule of thumb with IT teams (I’ve managed such teams for decades) is that if someone is explaining something to me that I don’t understand, it’s not because I’m stupid. It’s because the person explaining it isn’t being clear. So, feel free to fire away with as many questions as you can to make sure you understand what they’re telling you. For example, they may say they have a sophisticated SIEM tool in place. Don’t just nod OK. Ask them what the heck that means and how exactly it provides protection.

This brings me to the most important element of layers, and that is the concept of risk management. It’s critically important to understand the risks your operation (such as administering an election) is exposed to. Here’s a simple formula for calculating risk: multiply the damage that a breach could do by the probability that it could happen, and that’s your risk. Don’t worry about precise numbers or exact quantities, just understand the likelihood of occurrence times the damage done. This may be more difficult than you think, but here’s an example. The worst malware scourge out there today is ransomware. In a ransomware attack, a hacker gets into your system and encrypts your critical data so you and your team will have no access to it, and you can only retrieve it by paying a hefty ransom. If your voter registration database were locked up by a ransomware attack two weeks before the election, that would cause significant damage. If when talking with your IT team about layers of protection they can’t describe to your satisfaction how such an attack could be prevented, and how it could be recovered from in case the prevention fails, then you are at high risk and you need to do something about it (maybe bring in outside help). This is how you should address each of the layers of your operation. Consider the worst-case scenario and the damage it would do, then assess whether your current protections are sufficient to reasonably ward it off.

But since no security is perfect, we need to think about recovery from a successful attack. Everyone reading this is probably familiar with the concept of data backups, but in the era or ransomware, we need to go a step further to non-network connected backups. Today’s ransomware is very sophisticated, and if your data backups are on your network, the ransomware will find them and encrypt them, too. So, you need to keep backups on some media that is not connected to your network, either old fashioned data tapes, USB devices or some other method. This is your last line of defense if every other layer is breached.

Finally, I will point out that in the realm of elections, cyberattacks are only one threat, and perhaps not the most dangerous. Social media disinformation attacks can do just as much, if not more, damage to an election. The layered defense I’ve talked about here isn’t aimed at that social media threat, but it’s very real and needs to be prepared for, perhaps by an outreach campaign identifying your website as the “Trusted Source” of election information. For everything else, dress in layers!

Editor’s note: McDermott will be a panelist on ISACA’s "Lessons from Election Security Challenges" webinar, to take place on 1 October.