On Tuesday, state and federal agencies and industry groups will staff “war rooms” focused on monitoring and responding to the latest threats to the administration of an election that’s already seen disinformation campaigns, threats from foreign governments, sweeping changes to how people cast ballots and, in just the past few weeks, record-busting early voting.
One of those war rooms is running out of an office park in East Greenbush, New York, home to the Center for Internet Security, which operates the Election Infrastructure Information Sharing and Analysis Center, the federally backed entity that distributes threat intelligence to election administrators and helps state and local governments backstop their voting-related IT systems.
In an interview Monday, the EI-ISAC’s director, Ben Spear, told StateScoop the organization, which enrolls thousands of state and local election offices, that this year’s plans build on its work over the last few election cycles. While CIS, which also operates the Multi-State ISAC, maintains a round-the-clock security operations center, its Election Day war room is a much bigger effort.
“We’re always available for folks,” he said. “But for Election Day itself, we have a full contingent across all the teams.”
That includes members of CIS’s incident-response, intelligence and engineering teams who will be on site — socially distanced and wearing masks, Spear noted — monitoring for suspicious activity and issuing updates to EI-ISAC members at least once every four hours.
In addition to the in-person operation, Spear said there’s also a heavy virtual presence. The Cybersecurity and Infrastructure Security Agency, which funds the EI-ISAC, will run a nationwide “situational awareness room” through which federal officials, vendors and state and local election officials can communicate with each other about any physical or digital threats.
In just the past two weeks, CISA and the FBI have issued multiple alerts about malicious activity targeting election-related systems emanating from Iran and Russia. But Spear said the EI-ISAC’s members in state and local government are taking the advisories seriously and making the necessary adjustments, like installing software patches and fixing system configurations.
“This is how it was all supposed to work,” he said. “Members are addressing [vulnerabilities]. We along with our federal partners are working to identify gaps so we can point those out. This is the big thing people are keeping an eye out for.”
In the months leading up to the election, the Center for Internet Security has also been rolling out new products for its EI-ISAC and MS-ISAC members. In August, it launched a Malicious Domain Blocking and Reporting service to prevent state and local government users from connecting to web domains known to be affiliated with ransomware, other forms of malware, phishing campaigns and other threats. It also runs an endpoint detection and response service.
The MDBR service, Spear said, has been a complement to CIS’s network-monitoring devices, known as Albert sensors, which have become popular among states and bigger cities and counties, but may be less accessible to smaller local governments.
“Albert is something that requires an IT guy to install a piece of equipment,” he said. “MDBR and EDR can block that activity and officials can have peace of mind.”
Beyond monitoring for malicious nation-state and cybercriminal activity, Spear said the EI-ISAC war room will, like the rest of the election-security community, be looking out for misinformation and disinformation, especially if, as expected, it takes some states longer than usual to count their ballots due to the high volume of mail-in voting.
“[It’s] always a concern, particularly if we see this lengthen out,” he said. “There’s always opportunity for an adversary to take advantage of an opportunity.”
But, Spear said, the war room will run for as long as it needs to, regularly assessing when it might be time to stand down, though the EI-ISAC will still be ready to respond to its members’ needs.
“We’re able to provide continuous support,” he said. “We’re always going to be there.”