CISA Releases Cybersecurity Toolkit for Elections
The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Joint Cyber Defense Collaborative (JCDC), has published a guide for election systems cybersecurity. Designed to help US state and local election officials, the Cybersecurity Toolkit to Protect Elections includes a tool to assess risk profile as well as information about tools and services that can be used to help secure election infrastructure assets.
While free toolkits are obviously lower in acquisition cost, they still require a level of cybersecurity skill to use for any purpose other than producing “fill the binder” documentation. For example, the first step in this process is to use the online Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission. The bad news: it asks the filler-outer to estimate risk at the Confidentiality/Integrity/Availability level with slider bars. All too often in the US election system, the person filling out this form will have no idea of what the risk level is and may not even understand those terms. The good news: the slider bars show curves for how election experts assessed the CIA risk and (at least on my browser) the default risk estimates are fairly high and clicking through maintains those defaults. The CISA focus on free tools unfortunately perpetuates the myth that additional spending on staffing and training by state and local is not required for election security – both are badly needed.
When performing a self-assessment, one of the hardest parts is to be brutally honest about your current state, particularly if you're not used to this. Here is a case where peer review can help you. The Election Survey Risk Profile tool is ten pages of questions, with your answers driving added questions. Once you have an honest assessment, then the real work begins of addressing issues. CISA is leveraging the NIST Cybersecurity Framework, so there are plenty of resources and expertise to help you succeed.
As the tool suggests, in order to be effective, much less efficient, security must be risk based. However, risk assessment requires knowledge, skill, ability, and experience. These are not likely to be found in many of the 8000 election jurisdictions. It is all too easy, indeed common, for the novice to confuse threat, vulnerability, or consequences for risk. An effective tool for such a population must provide a lot of guidance while being easy to use. It must not rest upon the ability of the user to do something that he is not equipped to do.