Conducting Risk Assessments https://www.cisecurity.org/elections-resources/ Dr. Michael Garcia, Director of Elections Best Practices 14 June 2018 Agenda About CIS About the Elections Infrastructure Information Sharing and Analysis Center Thinking about threats and motivations in elections A Handbook for Elections Infrastructure
Security Self- and independent assessments 2 A word about CIS CIS is a technical organization Address the how over the what Backed up by experience and resources CIS history and programs underpin best practices and recommendations Focused on the entire ecosystem Looks at and provides best practices from start to finish
3 CIS Structure C State, Local, Tribal, or Territorial Government Entity 4
Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) Members include: 49 State Elections Offices 2 Territorial Elections Offices >700 Local Elections Offices (growing at ~15/week)
4 Associations 5 How to Become a Member Free and Voluntary No Mandated Information Sharing 1. Visit and complete our registration form 2. Agree to the Terms and Conditions 3. Receive a Welcome Email 4. Provide contact details for key staff 5. Start receiving notifications and products
https://www.cisecurity.org/ei-isac/ 6 EI-ISAC Local Leaderboard (June 19) 1. Florida: 100% 1. Maryland: 58% 2. North Carolina: 87% 2. New Jersey: 52% 3. Washington: 85%
3. Minnesota: 44% 4. Nevada: 76% 4. California: 36% 5. Tennessee: 74% 5. Colorado: 36% 6. South Carolina: 72% 6. Arizona: 33%
7. Rhode Island: 67% 7. Oregon: 33% 8. Delaware: 67% 8. Virginia: 30% 9. Hawaii: 60% 7 An Elections-focused Cyber Defense Suite 24x7x365 network
monitoring Incident response and remediation Threat and vulnerability monitoring Election-specific threat intelligence Training sessions and webinars Promote security best practices DDoS mitigation and web protection services
8 24 x 7 Security Operations Center Central location to report any cybersecurity incident Support: Network Monitoring Services Research and Analysis Analysis and Monitoring: Threats
Vulnerabilities Attacks Reporting: Cyber Alerts & Advisories Web Defacements Account Compromises Hacktivist Notifications To report an incident or request assistance: Phone: 1-866-787-4722 Email: [email protected]
9 The threat environment in elections There have always been threats to elections Theres been a steady progression toward IT-related attacks over the last two decades 2016: a more concerted effort, but just an increase in what had already been occurring 10
Motivation 1. Attackers have one or more goals Information theft, espionage, sabotage Sabotage: destruction, defamation, or blackmail of targets Motivation can be BOTH changing votes AND reputation damage to democracy itself 2. In cybersecurity, risks drive investments Must assess risk and keep a broad view Adversaries will look for a weakness anywhere; so must we strengthen defenses everywhere 11
A Handbook for Elections Infrastructure Security View and download at: https://www.cisecurity.org/elections-resources/ Order free hardcopies at: https://learn.cisecurity.org/ei-handbook 12 The starting point Jumping on a moving train means continual improvement Find mitigations that work with a system in motion Constrained resources means mitigating risk at the margin
Focus on the best way to spend the next dollar, regardless of where it is Provide best practices that can be tailored to different situations 13 What we learned about risk The most substantial risks are to components that have network connections For cybersecurity folks, this puts us in known waters Bigger than paper ballots or RLAs Systems are highly unique, but have many
similarities in structure and, thus, risks Think of uniqueness as following the 80/20 rulemostly the same, some tweaks 14 Handbook Structure Three parts 1. Introduction of elections and risk 2. An architecture of elections systems and their risks 3. Technical best practices Includes recommendations on contracting and procurement, auditing, and incident planning
Contains 88 best practices in the form of security controls 15 Part 1: Introduction Typical stuff: scope, audience, environment Also info about conducting a risk assessment Introduces three classes of connectivity Network connected systems Indirectly connected systems Systems that are not connected Bonus!
Transmission risks 16 Part 2: Architecture and Risk Generalized architecture Describe each component, its risks, and its connectedness 17 Part 3: Mitigating Risk Summarize and mitigate risks Best practices have
Asset class: device, process, software, user Priority: high, medium Known security controls Estimates of Potential resistance, upfront cost, ongoing maintenance cost Resources to help implementation Links to online resources, NIST guidance, tools 18 A takeaway Elections have some unique aspects, but the
broad set of risks a similar to those in other domains. This is good news: we can apply what we already know from other industries and sectors to elections, achieving better results faster and cheaper. 19 Uses of the handbook Using as a baseline in developing training and assessment tools Drawing connections between non-technical understanding of risk and technical approaches to mitigation
Prioritizing additional security work Showing how investments have been used and future investment will be used Conducting an assessment of current practices 20 Why assessments matter Throw away what you have and start over No assessment needed Otherwise Assessment needed 21
Assessments types Full, independent risk assessment: best Involves substantial analysis of the environment to identify threats, vulnerabilities, and consequences Independent assessment of practices: good Reviews against known sets of best practices and controls Self-diagnosis, even best intentioned, can be biased Self-assessments of practices: effective
Low budget, quick, useful for a reasonably wellknown threat environment 22 Assessments: when, how, how often During pre-planning, after a system freeze Involve entire technical team After major system changes Annually, ideally semi-annually Share results with non-technical leaders Use as a tool for comms, resourcing, accountability; not just technical 23 Whats next?
Self-assessment tool against handbook Pilot phase underway, full launch in July Training for independent assessors In early development, hoping to begin training in fall Procurement guidebook Based on handbook, provides sound approaches to procurement as well as model contract clauses 24 Self-assessment tool
Online interface to walk through implementation of handbook best practices Provides dashboard summary of results Can be shared across organization and with state ED Default is no sharing Tracks progress over time 25 Thank you! Main page: www.cisecurity.org/elections-resource EI-ISAC registration: https://www.cisecurity.org/ei-isac/ Handbook hardcopies: https://learn.cisecurity.org/ei-handbook
Mike Garcia [email protected] www.cisecurity.org/elections-resources