Mar 11 2024

6 Steps (and More) for Improving Election Security for Local Agencies

Government caretakers of voting infrastructure must continually improve their cyber resilience.

As the 2024 election season continues, local jurisdictions administering voting sites should seek to ensure strong cybersecurity for their organizations.

The U.S. Cybersecurity and Infrastructure Security Agency provides some starting points for doing so in its #Protect2024 campaign. Here are six steps recommended by CISA.

1. Enable Multifactor Authentication

MFA requires more than simply a username and password to access data and resources. In addition to a password, a system may require users to enter a code sent to a phone or email, scan a user’s fingerprint or use face recognition software (such as Apple Face ID), or enter additional data. MFA verifies identity through one of these methods and allows access to authorized users only. Government agencies have a number of relatively quick ways to implement MFA solutions available to them. In addition, CDW Security Solutions employs a large bench of MFA security professionals ready to help government agencies design a strategy that is right for them.

Click the banner below to assess zero trust architecture for government security.

2. Know and Manage Cyber Vulnerabilities  

Government agencies can consult their staff experts, managed service providers, trusted vendors and other sources for identifying  vulnerabilities. CISA offers cyber hygiene vulnerability scanning for state and local government authorities as a free service. Managed service providers can actively mitigate threats that exploit those vulnerabilities. Agencies also strive to enhance their cyber resilience to be able to withstand and recover from cyberthreats. A CDW Strategic Application Modernization Assessment can scan the source code of any election-related custom applications for security vulnerabilities and generate best practices for securing them.

3. Assess the Security of the Government Enterprise

CISA provides physical security assessments, as do state emergency management agencies. Again, managed service providers such as CDW Security Solutions can step in and go the extra mile for those requiring comprehensive threat assessment and mitigation services. A security maturity assessment can provide a government organization with a deep dive into its security posture and recommendations for how to improve it.

MORE FROM STATETECH: Arctic Wolf CTO discusses election security.

4. Get a Government Domain

A .gov domain is available only to U.S.-based government organizations. Thus, an agency using a .gov domain can instantly assure visitors that its websites are legitimate. The National Association of State Chief Information Officers has made adoption of .gov domains a top advocacy priority. “With rampant misinformation and disinformation campaigns from issues ranging from election security to COVID-19, it is paramount that citizens receive accurate and trusted information from government websites,” NASCIO says. Yet only 8.5 percent of local governments used .gov domains as of 2021.

5. Rehearse Incident Response Plans

Government agencies can run tabletop exercises and other drills to test their incident response plans. In 2022, the Center for Digital Government found that fewer than half of state and local government leaders surveyed for a report had incident response plans specifically for ransomware, suggesting that there may still be a lot of work to be done in crafting and supporting incident response plans in general. CDW Government offers services to help state and local agencies design, implement and test incident response plans. We also provide staffing to lead or support planning operations. Our own incident response team is available on an ad hoc basis when needed.

DIVE DEEPER: Cybersecurity lessons learned from the 2020 U.S. elections.

6. Join the EI-ISAC

All state, local, tribal and territorial  governments can join the Elections Infrastructure Information Sharing and Analysis Center. The EI-ISAC is hosted by the Center for Internet Security, a nonprofit organization dedicated to defeating cyberthreats to state and local government agencies. The EI-ISAC receives funding from the U.S Department of Homeland Security to provide agencies with cybersecurity tools such as threat intelligence monitoring, incident response services, threat and vulnerability assessment, cybersecurity awareness and training, and more.

Beware of Sophisticated Sources of Misinformation

In 2019, the National Association of Secretaries of State inaugurated its Trusted Info initiative, and it recently revised guidance for its #TrustedInfo2024 campaign. Most state government secretaries of state serve as the chief election official in their jurisdictions.

“By driving voters directly to election officials’ websites, social media pages, and materials, they will be able to receive credible, timely information on each step of the elections process,” NASS says of the bipartisan initiative.

Prior to the 2020 national elections, social media was already replete with misinformation and falsehoods. Today, the boom in readily available artificial intelligence tools potentially augments the capabilities available to bad actors seeking to sow confusion and discord among voters.

“In 2024, we should be most concerned about the role of generative AI, which is an emerging technology that can create video, text, or images of people saying things they didn’t say and doing things they didn’t do,” said Janet Coats, managing director of the University of Florida’s Consortium on Trust in Media and Technology.

In February, tech companies (including Adobe, Amazon, Google, IBM, McAfee, Microsoft and others) agreed to “combat the deceptive use of AI in the 2024 elections.”

“As society embraces the benefits of AI, we have a responsibility to help ensure these tools don’t become weaponized in elections,” said Brad Smith, vice chair and president of Microsoft. “AI didn’t create election deception, but we must ensure it doesn’t help deception flourish.”

This article is part of StateTech’s CITizen blog series.


shironosov/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT