Election Security Beyond the Voting Booth
(Last updated on February 17, 2020)
A lot of the focus of today’s U.S. election security discussion is about securing the act of voting itself – things like testing machines, adding paper logs, avoiding internet connections for reporting results, etc.
However, if you’re just focusing on the voting booth, you’re leaving yourself vulnerable in a lot of other ways.
If you’re responsible for or interested in securing your local or state-run elections, you have a long list of items to worry about from complying with legal requirements to contingency planning to cybersecurity and more.
So where do you start?
Free Audits & Assessment From DHS
As a state or local election entity, you have access to free assessment and audit services from the Department of Homeland Security.
- Cyber Hygiene: Vulnerability Scanning
- Phishing Campaign Assessment (PCA)
- Risk and Vulnerability Assessment (RVA)
- Validated Architecture Design Review (VADR)
You can read more about them here.
While good to have completed, the waitlist for some of these services might be outside of your priority window, so what can you do in the meantime?
Perform Your Own Audit
The National Association of Election Officials has a checklist available that can serve as a starting point for securing your election systems and processes.
The checklist includes:
- Identifying critical elements of your election system
- Assessing risk for physical, network and software defenses
- Evaluating your system’s ability to recover from various disaster scenarios
You can see the full checklist here.
This checklist touches on a lot of aspects of network and cybersecurity outside of the voting booth, including ensuring strong passwords for your Active Directory users.
However, one piece of network security is missing.
Check If Your Active Directory Users’ Passwords Are Compromised
The strongest password in the world does nothing if a hacker knows what it is.
While a lot of the election security checklists touch on having strong passwords, they often miss the mark about how to prevent the use of strong but leaked passwords.
And what would a hacker be able to access if they got into one of your AD users’ accounts?
Depending on who, it could mean they have access to:
- Voter registration database
- Plans for election day
- Voter information materials
- Internal assessment & audit data
- Internal communications
- And more
All of which could result in something as “small” as launching a disinformation campaign that looked identical to your own materials or something as “big” as altering your voter registration data.
So how can you check if your Active Directory users are using leaked passwords?
You could try a DIY solution like this one or you could simply download the free (read-only) Password Auditor to see results like this:
The Password Auditor scans and checks passwords of the user accounts against a list of 700 million compromised passwords. The Auditor also provides a full view of the administrator accounts in an organization’s domain, including stale/inactive admin accounts. From a single view, you can identify vulnerabilities that can assist you with your security plan for beyond the voting booth.