Signs of a Mature Election Security Strategy
Ohio’s policy has won praise from both private sector and public sector cybersecurity leaders.
Matt Olney, a director at Talos, Cisco’s threat intelligence division, said it indicated how far some states had come in enhancing election security. “The vulnerability disclosure policy invites the best and brightest,” Olney said at an event in Ohio with LaRose in August, according to StateScoop.
Matt Masterson, a senior adviser on election cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, also praised Ohio’s stance.
“Ohio really is ahead of the curve on this,” Masterson said at the same event, according to local station WCPO. “They’re already taking proactive steps.”
DHS receives daily risk intelligence from all 50 states about election security threats and sees Ohio as a unique partner. “Now you get the benefit of the incredible cybersecurity researchers across this country,” Masterson said, according to WCPO. “You’ve given them permission to and an ability to work with you to identify those holes in your outer perimeter.”
The white-hat hacker policy applies to websites and not to voting machines, electronic poll books, remote ballot markers or county voter registration systems. It also does not permit phishing attacks, defacement, denial of service or DNS spoofing.
Of course, Ohio has been busy putting in place other election security measures ahead of November. The state has deployed endpoint detection and response software and “required counties to develop contingency plans for any incident that disrupts the voting process,” StateScoop reports.
“The bad guys only have to be right once,” LaRose said, according to StateScoop. “We have to be right every day.”