Cybersecurity and Elections: What can be done?

Elections systems are like banks, in that our faith in their security matters almost as much as the actual security itself. As we are beginning to learn, if you undermine that faith, you can do a lot of damage. One only needs to turn on cable news for a few minutes to realize that our nation’s adversaries have proven they can attack our elections and be effective.

On the other hand, elections systems are unlike banks in that they are often under resourced and lack security expertise. People have been trying to break into banks electronically for years, whereas this seems like a newer issue for elections.

For those who have resources or who are larger targets, like Secretaries of State and national political parties, the Defending Digital Democracy Project at Harvard has been leading the way in informing political professionals on cybersecurity. In addition, there are a number of cybersecurity vendors who are offering free services this elections season. As a veteran, I think this is a terrific show of patriotism and I’m very proud that NETSCOUT, the world-wide leader in DDOS protection, is among them.

While a mature strategy and complete security stack are vital, NETSCOUT specifically focuses on ensuring the availability of timely and accurate election results. A major DDOS campaign, which is a time-tested attacker technique, could easily prevent the results of critical elections from being known for hours or even days. While this might not seem like a big deal initially, not knowing which candidate won or which party controls Congress could seriously undermine public faith in the election. That is why we are offering free cloud-based DDOS protection to select elections officials, including relevant threat intelligence, through the November election.

With less than 30 days to go before the congressional midterm elections, here are a few cost-effective steps that campaign and elections officials can take right now:

• Assume you will be breached. Your campaign is definitely a target and you should just let that sink in. The higher profile the candidate, the bigger the target.
• Develop a strategy. Don't make this harder than it needs to be. Just take a look at your campaign and identify your "critical assets." Rank what really needs to be protected (hint: it’s likely communications with your boss) and prioritize that.
• Outsource. Are you a security expert? Do you have millions of dollars in overhead to spend on world-class security infrastructure? Probably not (unless maybe you work for Bloomberg). You know who does? Google. Don't home-brew your own infrastructure when Google, Amazon, and Microsoft are much more sophisticated.
• The 80/20 Rule. Once you have your strategy, follow the 80/20 rule. Basically, a few simple things will get you 80% of the security you need. Here are some basic (and free) hygiene rules that go a long way:
  • Use a strong username and very strong password for everything. Make them unique. Set policies to change passwords every 60 days. If this is hard, which it is, use a password manager like Okta.
  • Use multifactor authentication everywhere you can.. If you don't know what MFA is, you better ask somebody.
  • Encrypt everything (including using encrypted messaging apps like Signal or Wickr). It's a pain. Everyone hates it. Do it anyway.
  • Delete your emails. Do you need to keep every email forever? If not, why keep them around for a hacker to find (see bullet #1)? You can often set rules that auto-delete emails after a set period. Gmail now lets you do this very easily.
• Prepare your PR strategy. Again, assume you will be compromised. Plan your response ahead of time so you aren't caught flat-footed. 

With so many other important issues to debate this election season, NETSCOUT is proud to join others in the security community to do our part to ensure the democratic process is safe and secure.