A new federal tool introduced Wednesday is designed to help state and local election officials get a better assessment of their security risks with just over two months before the presidential election.
The Election Risk Profile Tool, which was designed by the Cybersecurity and Infrastructure Security Agency and the Election Assistance Commission, is meant to give election administrators a “high-level risk profile” of the infrastructure used in the voting process, including voter registration databases, pollbooks, ballots, voting machines, ballot-counting processes and election-night results websites.
IT staff from several secretary of state offices around the country were also involved in reviewing and providing feedback on the tool during the development process.
For each piece of inventory, the tool asks several questions, such as whether a voter registration database can be accessed remotely through a web portal, if the software used to design ballots is patched or if multi-factor authentication is required for a user to access a computerized election system.
Based on the responses, the tool spits back a score representing an election jurisdiction’s risk of incurring a cyberattack, as well as a detailed profile of the responses given, including recommended steps officials can take to mitigate their identified risks. The recommendations might include deploying a network intrusion detection system (such as the Albert sensors offered by the Center for Internet Security), implementing multi-factor authentication or installing software to block distributed denial of services attacks that can knock out public-facing websites.
According to the assessment tool’s website, though, it is designed only to review the components of election administration that are within officials’ control. It does not cover risks that may originate in the supply chain, nor does it take into account the actions of political campaigns and social-media disinformation efforts, the latter of which officials and third-party experts have cited as the biggest threat to elections.
And as a tool for high-level review, CISA describes it not as a replacement for more technical risk assessments that IT and cybersecurity professionals might conduct. It’s meant to be “yet another tool to help support election officials to protect the 2020 elections and beyond,” CISA Director Chris Krebs said in a press release.
Some individual states have this year implemented their own advanced security efforts: Colorado is working with penetration testers to detect vulnerabilities in its voter registration database and other internet-connected election assets, while Ohio became the first state in the nation to develop a vulnerability disclosure program for election-related websites.
“Election officials are always looking for helpful resources as they strive to further protect their systems and manage risk,” a spokeswoman for the National Association of Secretaries of State said. “NASS appreciates the work of our federal partners on this tool.”