Content

Senate Intelligence Committee offers up election cybersecurity plan

The Senate Intelligence Committee has released a six-point plan to boost election security to ensure the United States' electoral process is safe from foreign meddling that centers on increasing deterrence capabilities and better communications between the federal and state levels.

The plan, which comes in response to the Committee's determination that Russia did its best to interfere and influence the 2016 election cycle, will be further discussed during a full meeting on election security on March 21. Several Committee members discussed some of the details during a press conference on March 20. Members from both sides of the aisle called the need to protect the election process from cyberattack a true bipartisan issue.

“Let me say this with a great deal of confidence. It is clear the Russian government was looking for vulnerabilities in our election system,” said Committee Chairman Sen. Richard Burr, R-N.C., during the press conference, adding “There is no evidence that any vote was changed.”

The recommendations address several problems that the Committee's investigation has uncovered, including poor communications between the Department of Homeland Security, the FBI and state election officials and the federal agencies ability to properly meet the threat during the election process.

“We were all disappointed that the states and the DHS were not more on their game in the lead up to the 2016 election,” said Committee co-Chairman Sen. Mark Warner, D-Va., noting it took the DHS almost nine months to notify the affected states that they had been targeted by the Russians.

Sen. Susan Collins, D-Me., brought up the fact that the alerts that were issued by the DHS and FBI were vague and did not properly express the severity of the problem.

“The Federal alerts in 2016 were not clear that the threat to the election was from a foreign government,” Collins said.

The Maine senator also brought up that everyone involved made a mistake in not publicly disclosing at the time that the Russians were attempting to interfere with the election. Collins said this was done with the proper intention to not place in the public's mind that the election process was tainted in anyway, but she added that France and Germany were upfront with what was taking place during their recent elections and that greater public disclosure proved to be a benefit.

Here is a summary of the Committee's recommendations:

1. Reinforce States' Primacy in Running Elections

• States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

2. Build a Stronger Defense, Part I: Create Effective Deterrence

• The U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.

• The Federal government, in particular the State Department and Defense Department, should engage allies and partners to establish new international cyber norms.

3. Build a Stronger Defense, Part II: Improve Information Sharing on Threats

• The Intelligence Community should put a high priority on attributing cyberattacks both quickly and accurately. Similarly, policymakers should make plans to operate prior to attribution.

• DHS must create clear channels of communication between the Federal government and appropriate officials at the state and local levels. We recommend that state and local governments reciprocate that communication.

• Election experts, security officials, cybersecurity experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.

• DHS should expedite security clearances for appropriate state and local officials.

• The Intelligence Community should work to declassify information quickly, whenever possible, to provide warning to appropriate state and local officials.

4. Build a Stronger Defense, Part III: Secure Election-Related Systems

• Cybersecurity should be a high priority for those managing election-related systems. Basic but crucial security steps like two-factor authentication for those logging into voter databases can improve the overall election security posture. States and localities should also take advantage of DHS offerings, to include DHS's network monitoring capabilities.

• The Committee recommends DHS take the following steps:

·       Working closely with election experts, develop a risk management framework that can be used in engagements with state and local election infrastructure owners to document and mitigate risks to all components of the electoral process.

·       Create voluntary guidelines on cybersecurity best practices and a public awareness campaign to promote election security awareness, working through the U.S. Election Assistance Commission (EAC), the National Association of Secretaries of State (NASS), and the National Association of State Election Directors (NASED).

·       Expand capacity to reduce wait times for DHS cybersecurity services.

·       Work with GSA to establish a list of credible private sector vendors who can provide services similar to those provided by DHS.

5. Build a Stronger Defense, Part IV: Take Steps to Secure the Vote Itself

• States should rapidly replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability. If use of paper ballots becomes more widespread, election officials should re-examine current practices for securing the chain of custody of all paper ballots and verify no opportunities exist for the introduction of fraudulent votes.

• States should consider implementing more widespread, statistically sound audits of election results.

• DHS should work with vendors to educate them about the vulnerabilities of both the machines and the supply chains.

6. Assistance for the states

• The Committee recommends Congress urgently pass legislation increasing assistance and establishing a voluntary grant program for the states.

·       States should use grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services, among other steps.

·       Funds should also be available to defray the costs of instituting audits.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.