The US Department of Homeland Security members of Election Infrastructure Government Coordinating Council (GCC) Executive Committee – Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director Bob Kolasky, U.S. Election Assistance Commission Chair Benjamin Hovland, National Association of Secretaries of State (NASS) President Maggie Toulouse Oliver, National Association of State Election Directors (NASED) President Lori Augino, and Escambia County (Florida) Supervisor of Elections David Stafford – and the members of the Election Infrastructure Sector Coordinating Council (SCC) – Chair Brian Hancock (Unisyn Voting Solutions), Vice Chair Sam Derheimer (Hart InterCivic), Chris Wlaschin (Election Systems & Software), Ericka Haas (Electronic Registration Information Center), and Maria Bianchi (Democracy Works) - released a joint statement noting that “The November 3rd election was the most secure in American history.”
The assumption there is that it was that it was secure from foreign adversaries. That result is positive considering as recently as October 21, 2020 Russia and Iran had stolen voter registration information.
With that baseline, we asked a few folks from the Cyber Security Hub community what lessons can be learned for global corporate enterprise from this US election cycle. While these are direct quotes, they are provided anonymously.
Being Secure And Trustworthy
“People are reluctant to change. So if they had a ‘smart voting’ option, they might not trust it. They might not trust the technology. They might think it could be hacked. The lesson for corporations is optics and providing the assurance that the product you're selling, it's been pen tested. It's been stress tested. It's gone through the whole battery of tests of everything you can do. Give that ‘Good Housekeeping’ seal of approval, that under known circumstances, this is a good known product. You need to get that confidence built in your customer, that what you're offering is safe and secure.”
Outpacing Fear, Uncertainty & Doubt
“The bad guys will continue to take advantage of fear, uncertainty, doubt. That's a given. Whether it's COVID, whether it's governmental, whether it's voting, whether it's ‘we need you to do this because you're working remote’ or ‘Microsoft says,’ the hackers are going to take every advantage of that fear, uncertainty, doubt.”
Understanding External Threat Actors
“It's important for corporates to understand that there are external threat actors trying to influence your business. It could be competitors, it could be other attackers and it could be bad actors coming back to gain threat intelligence. It’s very important to understand where your risks lie, where your threats lie.”
Contextualizing Risk
“We have to continue to become more contextual in our understanding of risks. There's a lot of attacks that happen and have happened that were really sort of test attacks that were gearing up to become more concrete attacks, and contextually depending on my business and my configuration I need to be able to look at what that means. So what have you done? What are you doing to get ahead of that, to plan for that, to make sure that you understand what that threat means to you? If it comes to the front door, you're pretty clear. But what if it comes through the back door, have you thought about all of the potential angles and impact? So I think this season has done that for probably for my organization more than anything else's. How well do we really understand the threat? And based on that understanding, is it enough?”
Understanding Residual Risk
“The real question for corporate leaders to ask is at a national security policy level, is it appropriate to continue our policy of naming and shaming? A lot of organizations, commercial organizations, are getting interested in attribution. We would not have the Mondelez versus Zurich Charlie Foxtrot today if there had not been a policy of naming and shaming that identified as nation state actor, which allowed a cyber insurance provider, Zurich Insurance, to say the cyber attack against Mondelez isn't covered because it's an act of war. And this naming and shaming policy ultimately is giving insurers a reason to deny coverage on legitimate policies, which again, if you've transferred some of your residual risk to your insurance provider, this national policy associated with naming and shaming, it's not a good thing for anybody in that regard.”
And so, the lessons learned from this US election cycle seem to be straightforward and in line with what must be done in cyber security day in and day out. Be not only secure but trustworthy to your internal customers, 3rd party partners and external customers. Outpace fear, uncertainty and doubt from external factors but also from your internal stakeholders. Of course, always be learning about your external threat actors. Contextualize the risk that is apparent and shore up vulnerabilities accordingly. And finally- join the larger conversation around residual risk.