Election Security Spotlight — Risk Management
What it is
Risk management is the process of identifying, assessing, prioritizing, and responding to threats to mitigate risks. Risk management is an ongoing process that must be routinely reevaluated. The basic elements of risk management include:
- Asset: Anything that holds value (tangible or intangible), such as data, property, and people.
- Threat: Something that can exploit a vulnerability to steal, damage, or destroy an asset.
- Vulnerability: A weakness or flaw that can be exploited by a threat.
- Risk: A potential for loss of or damage to an asset when a threat occurs.
- Response: An action taken to address a risk.
The graphic below illustrates how the elements of risk management operate:
All organizations must consider risk management. Election officials must consider risk management, and reassess risks, as they plan for each election.
Why It Matters
Election officials work everyday to protect one main overarching asset: our nation’s critical infrastructure. Given the ever-changing threat landscape today, it is imperative that election officials take a look at the big picture of what it takes to prepare for and conduct a successful election as well as identify potential risks at any point during the process. As technology advances, new threats with the potential to exploit vulnerabilities emerge on a daily basis. For this purpose, election officials must reassess the potential risks prior to every election.
What You Can Do
If your election office has not already implemented risk management policies and procedures, you need to consider implementing them prior to your next election and especially before the 2024 General Election. Use the graphic above to think through every system you use and the risk to which a given system could be vulnerable. Consider voter registration systems, e-pollbooks, voting systems, results tabulation, and results transmission to your website. These are the assets that you are charged to protect as an election official.
To put this in perspective, here’s an example:
- Asset: Voter registration system
- Threat: Distributed Denial of Service (DDoS) attacks
- Vulnerability: Voter registration systems are hosted online and utilized by election officials throughout the state for early/absentee voting while residents spend time registering to vote, finding their polling place, and viewing their sample ballot. Heavy traffic on this website prior to the 2024 General Election is expected. In addition, cyber threat actors (CTAs) may put additional stress on this system.
- Risk: The voter registration system may become very slow or crash.
- Response: Ensure that your jurisdiction has DDoS protections in place to combat this threat and get the website up and running again as soon as possible.
For assistance in identifying risks and the associated potential ramifications, please review CISA and the EAC’s Election Risk Profile Tool. In addition, to see some examples of risks and responses regarding election results reporting, please visit: https://www.cisa.gov/sites/default/files/publications/election_results_reporting_risk_mitigations_508.pdf.
Please contact us at [email protected] if you have any questions.