Prioritizing Cybersecurity Risk in Election Infrastructure

These services have included assessments to identify vulnerabilities in public-facing websites, conducting tabletop exercises, creating outreach products for state-level officials to engage with their local-level counterparts, promoting cyber information sharing and collaboration, and deploying network monitoring and intrusion detection systems.(1)

The election system in the United States is, in reality, not one system, but a tapestry of many different systems. Although they all encompass the same functions, system processes and infrastructure vary from state to state and often between jurisdictions within a state. This report provides an overview of the methodology that researchers from the Homeland Security Operational Analysis Center developed to prioritize risk in election systems in the United States.

The risk prioritization method presented in this report addresses components of the election system that are under the control or are the responsibility of state or local election officials. It is intended to provide a high-level view of relative risk across election system com

ponents. It does not address election cybersecurity risk to candidates, political campaigns, social media platforms, or other aspects of elections not under the direct control of election officials. Nor does it address disinformation or influence campaigns regardless of whether such efforts use digital media. It is important to note as well that the risks we assessed are direct cybersecurity risks—that is, the potential risks of a cyber attack on a component of the election system. This risk prioritization method does not directly measure the secondary or tertiary effects of such attacks, such as the potential for loss of public confidence in the election process. The methodology covers the main com-ponents of election infrastructure in the United States and is intended to assist election officials in understanding and prioritizing risk and in taking steps to mitigate the greatest risk, where possible.

Elections are not simply about voting. Other processes must function to enable people to vote and to ensure that those votes are counted and reported. Consequently, in our analysis, we examined the following components of the election system:

·  voter registration

·  pollbooks

·  voting machines

·  tabulation

·  official websites

In our assessment of election systems, we considered different types of attacks across these election system components. An adversary might seek to compromise election infrastructure to accomplish different goals. We distinguish three types of attacks on each election infrastructure component using the “CIA triad” commonly used in cybersecurity: confidentiality attacks, integrity attacks, and availability attacks.

We evaluate risk as a function of likelihood and consequence. Given the challenges in assigning probabilities for each cyber attack as traditional risk assessment methods prescribe, in our methodology, likelihood is determined based on the level of sophistication an adversary would require to successfully attack an election system component, given the security controls in place. Consequence is determined based on the scale of an attack’s effects, paired with a rating of severity of that attack in terms of the way it would impede election officials’ ability to continue to carry out their duties and conduct an election.

To provide a risk score, we calculated the product of the numeric representations of capability (likelihood), scale of attack, and severity. Although this product provides a single numeric value for risk, there is no standard interpretation for this value on its own. In other words, a risk “score” of 32, for example, should not be interpreted as having a specific value or importance except in terms of allowing us to differentiate relative risks.

The approach to evaluating risk in election systems in this report is intended to provide a first step in a risk assessment but not to replace more-detailed analysis and assessments, such as identifying potential vulnerabilities or misconfigurations in the specific technology an election official oversees. The risk prioritization can not only point to where risk lies but also highlight areas in which election officials can seek assistance from others.

(1) Cybersecurity  and  Infrastructure  Security  Agency,  “Election  Infrastructure  Security,”  last revised May 13, 2020.