GSX Learnings: Applying Security Practices to the American Electoral Process

By Susan Friedberg

The security of the American electoral infrastructure is of critical national interest. Free, fair, and safe elections are a vital priority of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), which supports the state and local election communities and the American public to ensure they have the necessary tools to manage risk and build resilience in the nation’s election infrastructure.

In the GSX presentation, “Combatting Insider Threats in Election Infrastructure,” Chris Piper,

(COO, Elections Group), Kim Wyman (Senior Election Security Lead at CISA), Amanda Grandjean (Director of Elections, Deputy Assistant Secretary of State at Ohio Secretary of State’s Office), and Matt Crane (ESI Subject Matter Expert Consultant at CISA) shared their collective experience implementing and advancing security tools and techniques for elections, to prevent any intentional or unintentional harm.

Understanding the Business of Elections

Departments of elections are continually assessing threats to their processes, conducting resilience training, and updating their standard operating procedures. The speakers discussed three primary security considerations: cybersecurity, physical security threats, and insider threats, including the spread of misinformation.

Grandjean said election security leaders are faced with the challenge of creating a comprehensive election infrastructure for a decentralized system. State and local elections may vary in the types of ballots, the voting timeframe, and the cadence of elections. Comprehensive election security cannot be focused on one single area, but rather must be a program with multiple layers.

Utilizing Federal Resources to Strengthen Elections

Regardless of the size of the election resources in a city or county, local election officials have the resources to investigate any threats to their election. Wyman shared information about the Help America Vote Act of 2002, which established the Election Assistance Commission (EAC). This organization is dedicated to assessing and improving voting systems and voter access and provides funding to help states meet mandatory minimum election administration and security standards.

CISA also works with local governments to quickly identify and mitigate any threats and provide year-round training for local election officials to identify common threats and harden their security posture. 

Deploying a Layered Approach to Election Security through Standard Operating Procedures

Piper emphasized that multiple security techniques and processes need to be in place to help cover various security considerations at each election, starting with robust standard operating procedures, hardened access control, strict chain of custody, and zero-trust security.

With standard operating procedures, election officials recognize quickly when a task or role deviates from protocol. Piper shares that election officials can learn from the security community to create these SOPs and execute them.

Every community that holds elections must also have a policy in place for access control. CISA helps election officials create SOPs that document the chain of custody of election equipment and ballots. A zero-trust security approach eliminates implicit trust and continuously validates every stage of the voting – from ballot printing to post-election audits. For example, this end-to-end technique is applied to how a voting tabulator is stored, tested, transported, and deployed, and to securing, transporting, and counting ballots. Election officials strictly document this process to show that the chain of custody has been met perfectly.

Addressing Constantly Evolving Election Security Challenges

Security directives are continually updated, incorporating advancing cybersecurity techniques and reflecting the desire from voters for transparency. For example, security approaches include stress testing software, increasing physical on-site security with the latest surveillance technology, enforcing additional logging, deploying seals to voting equipment, and securing devices with double-locking keys.

Poll workers also undergo special training, reflecting new security directives, and are mandatory reporters should they observe any wrongdoing. Insider threats are continually monitored so that polling workers and their efforts can also stand under scrutiny.

Building Public Trust Through Transparency

According to CISA, “securing election infrastructure from new and evolving threats is a vital national interest that requires a whole-of-society approach.”  American voters have many open avenues to connect and learn about election security practices. Grandjean shared an infographic from the Ohio Secretary of State that describes to voters the core tenets of the voting security process. CISA also has a public library of election security resources for the public.

Every speaker emphasized that boards of elections and election officials must also include public relations as a part of their role. Ultimately, whenever there is a public demand or question of election security, election officials will have the tools, checklists, and transparent processes to demonstrate their commitment and compliance with federal election standards.

Susan Friedberg is Marketing Communications Consultant based in San Francisco and an ASIS Member. Reach her on LinkedIn.