Election Security Spotlight – Virtual Private Network (VPN) for Election Offices
What it is
Virtual Private Networks (VPNs) encrypt and transmit data allowing a user to securely connect to the internet or access a remote network on an untrusted connection. This ensures that all transmitted data remains confidential.
Organizations use VPNs to allow employees to connect to their internal network when working remotely. Other common uses include securely connecting on public Wi-Fi, user anonymity, and circumventing government censorship. Many cybersecurity firms offer ready-made hardware and software solutions to deploy VPN. Well-resourced organizations can also develop their own solutions, such as setting up a VPN router to manage secure connections.
When an employee connects to a VPN, it will appear as if they are connecting to the internet from the organization’s network, instead of their remote location. Below is a diagram showing how VPNs may be used in an election system.
Why it matters
Election offices can use a VPN to:
-
- Protect data streams if an employee must connect to an office network, or transmit
sensitive data (e.g. employee or voter data), while working remotely. - Securely connect local election officials’ workstations to a state voter registration
database. - Securely transmit information to an external partner, such as an election vendor.
- Protect data streams if an employee must connect to an office network, or transmit
When a VPN connection is established it becomes an extension of your network. Organizations using VPNs should take steps to secure them like any other piece of hardware/software. VPNs are not designed to prevent malware or viruses from spreading between the devices and networks they connect. Devices and networks that are connecting to an enterprise VPN should be trusted. If a vendor’s network, or an individual’s device, has been compromised or infected with malware, a cyber threat actor could use the VPN to access your network or spread the infection.
What you can do
- Implement a VPN where applicable.
- Review CISA’s Enterprise VPN Security Alert.
- Update the hardware and software used by VPNs and implement a patch
management program to prevent malicious actors from exploiting known
vulnerabilities. There have been reports of cyber threat actors targeting
VPNs by exploiting known vulnerabilities in hardware/software systems.
- Implement multi-factor authentication on all VPN connections.
- Work with IT personnel to test VPN limitations.
- Review CIS’ “Telework and Small Office Network Security Guide” for tips on
securing a remote work setup. - If a trusted third party, like a vendor, provides the VPN used to connect to your
network, confirm they are following the same security principles as your
organization. - For more tips on working with vendors, review CIS’ “A Guide for Ensuring
Security in Election Technology Procurements.”
—
Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to [email protected] to request a topic.