If the upcoming 2020 elections in the United States occur without severe disruption from malicious cyberattackers, some of the credit may go to the wide distribution of Albert sensors by state and local governments.
These devices function as a low-cost intrusion detection system and are being provided to state and local government agencies by the nonprofit Center for Internet Security (CIS).
How Albert Sensors Act as an Intruder Detection Tool
“Our Albert system has its origin in the U.S. Department of Homeland Security’s Einstein program, which does network intrusion detection for federal agencies,” explains CIS CTO Brian Calkin. “DHS approached CIS in 2010 and asked us to do something like Einstein for state governments. Naming it ‘Albert’ seemed like the logical extension of the DHS system.”
The Albert sensor is designed to provide network security alerts when standard malware is detected on a network, as well as advanced persistent threats. It makes use of open-source software in combination with the expertise of CIS’s 24/7 Security Operations Center, providing enhanced monitoring and rapid notifications for much of the malicious traffic that election agencies may encounter.
The passive sensor sits on the network and collects data, which is then encrypted and transmitted around the clock to the CIS center for analysis. When an alert is verified as actionable, CIS sends an event notification to the organization.
This notification includes the affected IP addresses, identified issues, mitigation recommendations and a copy of the subset of traffic associated with the event. This gives affected agencies the information that they need to begin taking countermeasures.
States Move to Protect Critical Election Infrastructure
Albert sensor deployment started in early 2011, beginning a slow arc of implementation of the devices — until 2016. Prior to the elections that year, the sensors were deployed in fewer than 25 states. But interest increased dramatically in 2017 as evidence emerged of Russian cybercriminal activity touching all 50 states, along with the successful compromise of election systems in seven states.
“In 2017, election infrastructure was designated as critical infrastructure by DHS,” says Calkin. “Starting that year, CIS and DHS began having conversations with state and local election organizations about election security.”
All of this collaboration led to the creation of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
“EI-ISAC was officially kicked off in March of 2018,” says Calkin. “This was at the request of federal government as well as the state and local elections community, who asked CIS to oversee EI-ISAC in order to develop focused products and services for the election community.”
EI-ISAC offers a forum for election officials, associations, technology vendors, federal partners and cybersecurity experts to share threat landscape information, create educational opportunities and implement technical security controls to help ensure the security and integrity of elections. Other services available to EI-ISAC members include threat notifications, incident response assistance, access to a malicious code analysis platform and vulnerability management communications.
Use of Albert Sensors Continues to Rise
Going into 2020, Albert sensors are now being used by every state, two U.S. territories and several local governments as well.
Florida is one state taking advantage of Albert sensors. Following the 2018 disbursement of $19.2 million in funds from the federal Help America Vote Act (HAVA), the state’s counties began to invest in the IDS hardware. In July, Florida Secretary of State Laurel Lee, while announcing the most recent HAVA disbursements, also mentioned that all 67 counties in the Sunshine State were now using Albert sensors.
The state of Nebraska recently won recognition for its forward-looking use of the Albert sensor. Secretary of State Robert Evnen won the inaugural Innovators Award presented by the National Association of State Election Directors. The award recognized the secretary’s collaborative efforts in helping develop and deploy the first virtual Albert sensor.
“The virtualized version of Albert was built was for smaller organizations that don’t have the network bandwidth that would require a dedicated piece of hardware,” explains Calkin. “It saves organizations the cost of a server. When looking at a deployment, we look at it on a case-by-case basis to see what’s the best fit for the organization, the hardware or the virtualized version.”
Nebraska’s Albert deployment was also unique in that it was the first use of a sensor on a voter registration system maintained by a commercial vendor. Four other states using the same voter registration system are following the Cornhusker State’s lead and now using a virtualized version of the Albert sensor.
Additional Election Security Resources
In addition to using the Albert devices, Calkin also suggests that organizations look at CIS’ other resources. “Check out the other half of the CIS house, the best-practices side, the CIS Controls, the CIS Benchmarks,” he says.
“These best practices offer proven ways to secure your environment. It’s community-driven; we have an international community of cybersecurity experts that provide their input on the best practices — it’s all consensus-based.”