This week, hackers from across the globe are gathering in Las Vegas at the annual DEF CON conference for an exercise ripped straight from news headlines — trying to hack U.S. election systems. It’s a unique exercise that has raised a lot of eyebrows in the election community. For me, it’s yet another moment to focus on the topic of election system security and the need for constant vigilance. For all of the hype surrounding the DEF CON exercise and beyond the 2016 election system hacking attempts shaping news headlines these days, attempts to hack into government-controlled systems isn’t exactly a new concept or exercise. There were 10 federal agency cyber breaches in 2014, including targets such as the White House, State Department, Office of Personnel Management (OPM) and Nuclear Regulatory Commission. In fiscal 2016, OPM found federal agencies faced 31,000 “cyber incidents” that led to “compromise of information or system functionality.”
While each of these incidents alarms me, one hit particularly close to home, the December 2016 cyber breach of a public facing web application used by the U.S. Election Assistance Commission (EAC). As the federal commission focused on helping state and local officials administer elections, including how to prevent and respond to cyber attacks, this breach was a true test of our readiness to respond when the worst-case scenario becomes reality. While a breach is something that no entity wants to face, the experience has enhanced our commission’s knowledge and ability to serve state and local election officials as they continue their work to prevent and, when necessary, respond to cyber threats. This humbling experience resulted in tangible lessons that we now use to guide our recommendations for state and local election leaders. Here are the fundamental steps they should take:
• Secure your data: Election offices have a variety of data, including voter registration data, ballot material and precinct mapping information. Americans should know that election officials have always and continue to take the security of that data very seriously. Election officials should consistently review their data security policies with an eye toward implementing proper protection and detection techniques. This should include assessing access control policies, intrusion detection and monitoring settings, procedures for regular offline backups of all databases, as well as a review of firewall settings and encryption levels. The EAC’s checklist for election databases is a good starting point for this effort.