On May 16, the Department of Homeland Security (DHS) released a new cybersecurity strategy to keep pace with the evolving cyber risk landscape. As we inch closer to the mid-term elections in November, I wanted to share what I hope (expect) to see as part of this strategy going forward.
A wide scope of topics – With any cybersecurity strategy, it is important to ensure all stakeholders, pieces and potential battlefronts are included in the scope and that it is understandable to everyone. In the past, most strategies from the government have been fairly heavily focused on networking – connecting devices and ensuring access to certain parts of the world. While networking is a valuable topic to address, it is important that the DHS’ strategy covers a wider scope of topics, including cloud, on-premises, devices, mobile, disconnected IoT and servers in the back office. Regardless of where an asset is or what it is called, we are still talking about computers, devices, networks, storage, configurations, and people that run them. The DHS needs to address what is being done to help minimize the risks of these assets.
Greater federal responsibility in election security – When it comes to election security, the DHS has typically played the role of an advisor to the state electorates where the actual elections are taking place. More responsibility needs to be placed on the DHS, FBI and other federal entities to defend the election infrastructure. To do so, it first needs to be acknowledged that we are dealing with an old problem (human elections) in a modern world. I’d like the DHS to take on a greater responsibility in advising, by providing infrastructure, guidance and/or controls to create safer elections to the states that need the collective power of our democracy.
Election security is data security – At the end of the day, when it comes to election security, we are really just talking about data security: securing valuable information. While there are countless ways to interfere with an election, the focus is often placed on the actual tampering of results. To ensure the election system is secure and hasn’t been compromised, voter information must be treated as sensitive data, such as a credit card number. Data is data, so when it comes to securing election results, the same steps should be taken that are taken to protect and manage data and identities for banking transactions.
Beyond the basic best practices – The U.S. election system is complicated in that we have federal elections being run at the state level. It is difficult for the DHS to insert itself as the enforcer of cyber hygiene for elections by simply sharing best practices and offering scans. While both of these initiatives encourage good behavior at the state level, we need to go beyond the basics. In order to ensure safe elections, we need to be able to trust that each vote is valid. And to do so, we must know, for example, that this vote was cast by this person at this location with the correct identity. Another aspect includes properly vetting the manufacturers of voting machines and tightening how that is being done, whether federally or at the state level. At the end of the day, the DHS has an opportunity with this strategy to provide guidance beyond the traditional cybersecurity best practices.