Cybersecurity is a universal necessity. Whether you're a multinational corporation or a local government agency, safeguarding your digital assets and sensitive information has become paramount. While election offices are safeguarding the heart of our democratic process, they face cyber threats in various forms, from sophisticated nation-state actors to opportunistic malicious hackers seeking exploitable vulnerabilities.

Attacks Targeting Election Offices

In 2022 alone, cyber threat actors (CTAs) targeted multiple election offices just before Election Day. This series of attacks targeted election-related web content and, if successful, could have denied the public access to important information during a critical election period. In one case, the effective use of a single, properly employed cybersecurity measure was effective in stopping the attack.

In a separate cyber attack, this one on Election Day 2022, an election official received an email that spoofed a county office. The election official recognized that the email attempted to gain sensitive information and so alerted others about it, preventing a possible account compromise.

Cyber Defense Measures and the CIS Controls

As with all other industries and organizations, there are fundamental cybersecurity principles that apply to election offices. Cybersecurity best practices are generally accepted guidelines that lead organizations to the best possible outcomes when implementing cybersecurity measures. The CIS Critical Security Controls (CIS Controls) are one such set of globally-recognized best practices developed by security expert consensus that provide organizations like election offices with prioritized recommendations for implementing effective cybersecurity. These security measures provide a comprehensive set of smaller actions (CIS Safeguards) that organizations can implement to protect against the most common attacks.

Layered Defense: Defense-in-Depth

To ensure robust security, the industry standard is to implement a layered defense concept known as "defense-in-depth." It's akin to having a series of protective barriers that require varied aspects of technical expertise to successfully penetrate, making it significantly more challenging for threats to succeed. Effective cyber defense for election offices involves layers of defense at the network level, at the device level (servers and computers), at the user level, and elsewhere.

Many of these safeguards are inexpensive and easy to implement, but some organizations, like a cash-strapped local election office, can’t afford to buy all of the solutions needed for effective cyber defense. This is where operational support from the Center for Internet Security (CIS) factors in.

CIS Support to Election Offices: A Collaborative Effort

CIS operates the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC®), a community of more than 3,600 election offices from all 50 states and six territories that is partially funded in a cost-share model by CIS and Congress through the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Guiding the EI-ISAC is an executive committee consisting of representatives from the election community who are elected by fellow EI-ISAC members.