Election Infrastructure as a Critical Resource: Background
In March 2018, President Trump declared “Election Infrastructure” as a critical resource for the United States. Congress appropriated $385 million for the use of cybersecurity activities by states and local election officials as part of the Help America Vote Act (HAVA). The Department of Homeland Security (DHS) including their Cybersecurity and Infrastructure Security Agency (CISA) and the Center for Internet Security (CIS) published services and consulting programs for state and local governments to utilize. These programs are based on the National Institute of Standards and Technology (NIST) framework for Improving Critical Infrastructure: Cybersecurity. Each state has autonomy to spend their portion of the federal funding as they see fit. Most states spent money on hardening their statewide registration system and upgrading their voting machines. Few states have yet made money available to the local election districts and even fewer have provided a baseline of security procedures for local election districts to achieve.
Cybersecurity is the practice of creating a secured environment based on preferred principals. These principals are both technical and non-technical in nature and involve both human behavior and network behavior. There are over 16,000 election authorities nationally, each district is different in size, experience and regulation which means that there is no simple “one size fits all” solution. Unfortunately, most election officials do not understand the underlying principles of cybersecurity nor do they understand how to create a secured environment using these principals. Instead, most people, and especially the media, discuss specific tactics and specific dangers without the larger picture of an election environment. Worse, most people, including some election officials, think cybersecurity is only about technology and they excuse themselves from responsibility by passing it to over to their “IT” people.
Pike County, Mississippi Situation
In Mississippi, the county Circuit Clerks are in charge of elections within their county and are supported by locally appointed Election Commissioners. During the fall of 2018, Scott Madlener of Inclusion Solutions made a routine site visit to Pike County to meet with Roger Graves, the Circuit Clerk and Trudy Berger, an Election Commissioner. Pike County, is a typical election district in Mississippi with a population of about 40,000. The Pike County Circuit Clerk’s office is in the main county court house while the election commissioners and election equipment are across the street in a building called ‘Election Central.’ The Election Central building also houses the Public Defender’s Office. Pike County was ready to discuss infrastructure because the courthouse, and main polling place, had suffered a painful weather related power outage during an election in 2016.
Pike County, Mississippi Solution
While reviewing the Pike County election environment and discussing the Inclusion Solution Cybersecurity Coordinator Program, Scott explained that Cybersecurity in the Government’s context is meant to mean “Information Security” and includes physical security. Due to the specific nature of the Election Central building, Scott suggested that Roger and Trudy connect with their local DHS Protective Security Advisor (PSA), James “Max” Fenn, for a physical security assessment. Pike County requested a physical assessment from DHS of their Election facilities and discovered several security issues. Trudy followed-up with Scott for help understanding the assessment and to discuss next steps. When the state made the HAVA funds available several months later, Trudy again connected with Scott for support in writing the state’s procurement request.
When Pike County received their HAVA funds for physical security upgrades, it was an easy decision to begin working with Scott Madlener and Inclusion Solutions’ Cybersecurity Coordinator Program. The Cybersecurity Coordinator program involves consulting rather than training, meaning the program actually ‘moves the needle’ for clients with meaningful security upgrades. Rather than trying to force non-technical people to become technical, the program is designed to increase Election Officials’ understanding of risk management as it relates to Information Security. The goal is to raise the Election District’s cyber maturity while at the same time hardening the election infrastructure.
The Cybersecurity Coordinator program consists of a series of regularly scheduled conference calls lasting less than one hour over a period of several months. Based on each client’s experience and environment, the calls consists of a specific Information Security Risk topic, custom worksheets and next steps. When policy and technical changes are required, we discuss a plan. When money needs to be spent, we work to put together a HAVA request.
Once Pike County initiated Inclusion Solutions’ Cybersecurity Coordination Program, Scott worked with Roger Graves and the Circuit Clerks Office in the county courthouse building, Trudy Berger and the election commissioners in the Election Central building and the Pike County IT Staff who are responsible for the entire county government. Scott provided a large picture overview as well as helped with specific issue logistics. The Cybersecurity Coordination program began by helping Pike County officials understand their infrastructure and critical stakeholders from an Information Security standpoint. The program walked them through important areas of risk management and priority setting. And the program helped Pike County sign-up for DHS services and become the first Mississippi county registered with the EI-ISAC.
Most importantly the Cybersecurity Coordination program is designed to enable counties to respond to current events and/or requirements. During the regular course of the Cybersecurity sessions, the state issued a cybersecurity questionnaire which Pike County was able to assess and answer in a proactive format. This work created a follow-up session discussing possible policy and budget needs based on items in the questionnaire. Additionally, sessions were tailored to other current events such as ransomware attacks on other local governments and incident response planning.
“Scott Madlener with Inclusion=Solutions has been consulting with Pike County (re: Cybersecurity) for a couple of months now. We’re doing it via teleconference sessions, sometimes with Roger, sometimes with our county IT folks – but the main thing is he’s leading us through the forest of cyber security. He makes the subject so relatable – I haven’t found anyone else with that ability.”
Trudy Berger – Election Commissioner
Pike County, Mississippi