Election security is one of the most important parts of an election in order to preserve voter safety, prevent voter fraud, and, ultimately, build public trust in the electoral process. Because of the many external pieces that must come together during the election process, election organizers must use and implement effective Third-Party Risk Management (TPRM) as part of their security strategy.
Effective TPRM programs help protect against the potential risks and vulnerabilities that external third-party vendors and technologies can introduce. This guide expands on how TPRM can be strategically applied to help safeguard electoral systems against potential cyber threats or data breaches.
Discover how UpGuard helps organizations manage their third-party risks >
What third-party cybersecurity risks does election security face?
The election infrastructure and ecosystem is made up of many external parties, including:
- Electronic voting machines (EVMs)
- Voter registration databases
- Election night reporting systems
- Voting apps and website
- Online polling systems
- Voter data storage facilities
Each part of the election infrastructure is a third-party security risk that threat actors can potentially exploit to either influence the election, steal voter information, or potentially access sensitive government databases. According to CISA (Cybersecurity Infrastructure & Security Agency)’s election cybersecurity toolkit, the top three threats that elections face are:
Implementing TPRM in Election Security
The best way to effectively protect election systems against third-party breaches and to help secure third-party vendors and service providers is to implement robust third-party risk management programs. Election security managers can utilize several TPRM or VRM (vendor risk management) strategies to carry out risk mitigation and remediation processes, reduce operational risk, improve third-party relationships, and ensure the integrity of the voting process.
Vendor risk assessments
The first step to any third-party business relationship is to perform vendor due diligence, which includes a detailed third-party risk assessment of that vendor. This security assessment determines if they have a strong security posture and adequate security controls protecting their systems. The vendor risk assessment should focus on their key cybersecurity measures, compliance with legal and regulatory requirements, and previous security breaches.
Risk assessments are a core part of any risk management strategy and are most commonly carried out through security questionnaires, third-party risk scanning, and risk criticality measurements, which culminate through a security rating that provides a high-level overview of the vendor’s risk profile. After the initial assessment is completed, it’s up to the election organizers to determine if the level of risk the vendor introduces is tolerable or if they need to find a new vendor that does not pose as much risk.
Although vendor risk assessments are often carried out during the procurement phase, it’s also important to continually conduct them throughout the vendor lifecycle to ensure they continue to meet minimum security requirements.
Continuous monitoring
It’s important to implement continuous monitoring of the third-party election service throughout the vendor lifecycle. With continuous monitoring (usually done with automated tools), vendors can be monitored in real-time to detect potential breaches or vulnerabilities.
Continuous monitoring also provides deeper visibility into the vendor’s security posture, the status of their IT assets, and the effectiveness of their current security initiatives and controls. Assets that are typically monitored are:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories
- Email servers
Should an asset become breached or the vendor’s security performance dips, continuous monitoring processes will automatically notify you of the incident, allowing time and notification to respond and remediate the threat.
Incident response and recovery plans
In recent years, we’ve seen a number of security incidents during the voting process that have come under major scrutiny. Most notably, in 2016, Russian hackers hacked the Democratic National Committee’s (DNC) voter database to possibly influence the US presidential election. Although it was determined that the hack did not influence the outcome of the election, hundreds of thousands of voter information was stolen in the process.
Comprehensive incident response plans to deal with a third-party vendor breach are especially critical. These response and recovery plans detail the specific actions needed to deal with potential breaches and minimize the impact. This includes having defined roles and responsibilities for each relevant stakeholder, communication and reporting plans, and recovery processes to minimize system downtime and public impact.
Some key response and recovery protocols that all vendors should create are:
- Business continuity plans (BCP): BCPs outline how the vendor can continue to operate and resume activity following a cyber attack.
- Disaster recovery plans (DCP): DCPs outline how the vendor responds to a critical security incident and the steps needed to restore IT functionality and access to sensitive information as soon as possible.
- Incident response plans (ICP): ICPs are overarching plans that cover potential cybersecurity incidents that are most likely to occur, including details on how to contain a breach incident or data leak, minimize any threat impact, and post-incident clean-up procedures.
Contractual controls
As part of the business agreement and onboarding process, election officials can enforce strict security clauses in contracts with third-party vendors. Some of these clauses should include requirements for regular security updates, breach notification procedures, and right-to-audit clauses to increase transparency and reduce compliance risks. If the vendor fails to meet the agreed-upon security and compliance requirements, the election officials have the right to terminate that business relationship and end the contract.
Essentially, the contract is a binding document that directly outlines the necessary items to maintain the business agreement without any room for ambiguity. Any violation of those terms is subject to termination and immediate offboarding.
Election Security Best Practices
To help build better election security, election officials (typically state-managed) can implement a few best practices to help fortify the election process:
- Use of paper ballots: Paper ballots have been proven to be the most secure method of voting, to ensure that the chances of fraud are minimized. Although the US attempted to transition to paperless electronic voting methods in the early 2000s, the lack of a paper trail and auditing system was heavily criticized and, ultimately, mismanaged. Where possible, election officials should use paper ballots and maintain paper trails for electronic voting to provide a verifiable audit trail and mitigate risks of digital tampering.
- Conduct regular security training: All relevant election personnel should be properly trained on the latest security protocols, election management systems, and updated voting procedures to ensure a seamless start-to-finish process.
- Public transparency and reporting: New security measures and protocols should be effectively communicated to the general public to create transparency in the process. Any possible security incidents should also be reported ASAP and divulged to the public in a controlled manner.
- Validating voting software: Leading up to an election, election officials and managers should verify that the voting software being used has not been tampered with or altered in any way. They can hire independent third-party IT auditors to assist in the process.
- Keeping voting machines offline: Although votes are counted and stored electronically, if the voting machines are connected to the internet or another device, it massively increases the risk of tampering or fraud. Keeping those devices offline can prevent any external hacking or voting issues.
- Access control: Access to election equipment, including its software and hardware, must be managed using access control policies. Access control manages who has access to what systems and equipment, based on their level of need or authority. By implementing this process, officials can limit the impact and inherent risk if the voting software or equipment somehow becomes breached or tampered with.
Election Security Tools
As part of the campaign to improve election security nationwide, the United States Election Assistance Commission (EAC) has gathered various resources and materials to help local and state election officials enhance their election preparedness. A quick summary of election materials has been provided, including:
Election Threat Intelligence Briefings
The EAC and Mandiant have partnered together to offer Election Threat Intelligence Briefings that cover a wide variety of cybersecurity topics, the latest threats that target US elections, updated threat landscapes, motivations, and geographical locations of potential threat actors. Also included are strategic outlooks to help election officials better prepare and the latest intel on election attacks.
CISA Cybersecurity Election Toolkit
This free toolkit from CISA includes detailed guidance on securing voter registration databases, election reporting systems, and voting machines. It also provides best practices for dealing against the biggest election cyber threats, including phishing, ransomware, and DDoS attacks.
Global Cybersecurity Alliance (GCA) Toolkit for Elections
The GCA also offers a free toolkit to help election officials take actionable items to immediately improve their election security. This comprehensive toolkit follows recommendations listed in the CIS Handbook for Elections Infrastructure Security.
Additional Security Resources
- Incident Response Checklist: The EAC has also created an incident response checklist to help officials ensure they are prepared to respond to any incident that may occur.
- EI-ISAC: EI-ISAC is the “Elections Infrastructure - Information Sharing and Analysis Center”, headed by CIS (Center for Internet Security). CIS aims to build a community of election officials, provide support through its 24x7x365 Security Operations Center (SOC), help implement election security technology, and offer guidance for election supply chain risk management.