Q: Election security has been a front-burner issue for several years now, including the security of voting devices as well as back-end management systems. How has that conversation shifted as a result of the disruptions over the last year and a half?
In a way, the election management industry has been worried about cybersecurity for years, and working diligently on it. I think what’s happened after the last presidential election is that other industries related to elections and the general public are thinking about cybersecurity of elections more. In the elections management industry, people have known that the most likely weaknesses are email phishing attacks or something that happens when a person makes a mistake. I think those things have been brought to the forefront, and it’s created a higher level of fitness and a better security posture across the vendors, partners and even insurance providers that we deal with. It’s like everybody suddenly got in shape to run the marathon that we’ve been running for a while. Overall, it’s going to lead to greater resilience.
Q: What are some best practices people can do to stay safe?
A lot of people are now working in a hybrid or remote work environment, where they’re not behind a firewall. They have to just think about security. There should be a basic training, a boot camp everybody has to go through to learn the basics. Users need to have very strong passwords and rotate them whether or not the systems they’re on require that. They should essentially treat every system like it has a one-month password expiration. In addition, they need to be careful with what they reveal about themselves on social media, and be careful with how they answer or forward emails and how they treat privileged information. People need to be more diligent about identifying suspicious-looking emails. Those working remotely should have a workspace that is separated from home life. Overall, people need to be careful about information they reveal. A good healthy dose of paranoia will help us out here.
Q: How can teams strengthen cybersecurity for elections in the midst of remote and hybrid work environments?
In the past organizations have done self-assessments and created a number of policies about how to treat hardware, incident management, etc. They would write up these 300-page word documents and then get a third-party audit of the ongoing process. The bar has been raised, and auditors want to see more detail. So one recent trend we’re seeing is the emergence of compliance as code, infrastructure as code, policies as code. The basic idea is that your policy documents are less static and they’re treated and managed with the change control processes that software developers use. It’s ultimately more fluid and transparent.
Q: What should states and localities keep in mind as they approach hiring for cybersecurity?
It’s always been competitive. And it’s sometimes hard to hire someone with a specific specialty, with the right culture fit. I think governmental entities should pitch themselves as organizations that care about the public and where people can actually work on something that’s going to help society or maintain peace and order. Government institutions need to realize that they actually have a competitive advantage in attracting people.
EasyVote Solutions provides software applications that streamlines the processes behind running successful elections. Our mission is to use technology to modernize the elections process. EasyVote’s customers are city, county and state elections offices currently located in over 20 states across the US. Our customers find that the EasyVote Election Management Platform excels at the following; reducing the time to perform election tasks, improving communication and accuracy between election officials and workers; and providing data, enabling election officials to make intelligent, informed decisions.