Intrusion monitors for election security are going virtual

As interest in cybersecurity swells among election officials, a small group of states has begun experimenting with a virtualized network-intrusion system that until recently had only been available in the form of a physical device.

Typically, the Albert system, which is designed and distributed by the nonprofit Center for Internet Security, consists of single-unit physical servers outfitted with the organization’s open-source software that detects anomalous and malicious network activity. But five states and territories, led by Nebraska, have started using Albert sensors that run on a virtual server to detect attempted intrusions of their voter registration databases.

The software-based version of the Albert system is a product of collaboration between the participating states, which have asked to remain anonymous; Election Systems & Software, which produces the voter registration system used by Nebraska and the others; and CIS, which operates the Elections Infrastructure Information Sharing and Analysis Center, the federally funded entity through which state officials, local officials and the U.S. Department of Homeland security exchange alerts about election security.

Membership in the EI-ISAC, which was created last year as part of the response to attempts by the Russian government to tamper with the 2016 presidential election, has grown to nearly 2,000, including election officials in all 50 states and nearly 1,600 local governments, along with vendors like ES&S and intergovernmental organizations like regional and statewide fusion centers.

CIS engineers told StateScoop that going virtual was determined to be the best option for monitoring voter registration files that use the ES&S platform.

“It was a unique situation where we had to configure some advanced encryption techniques,” said Stephen Jensen, CIS’s senior director of operations. “We work with our members to work within the confines of their network space and not levy too much of a burden on them to change their configurations.”

Data collected by Albert sensors is transmitted back to CIS’s headquarters in Upstate New York, where it maintains a 24-hour secure operations center that analyzes suspicious network activity and issues alerts as necessary to EI-ISAC members. The organization also operates the Multi-State Information Sharing and Analysis Center, which was founded in 2002 to distribute cybersecurity information between state governments.

According to the office of Nebraska Secretary of State Robert Evnen, the virtual Albert sensor is also the first to be placed on a voter registration system maintained by a commercial vendor. The project was given an award last week for election innovation by the National Association of State Election Directors.

“Nebraska paved the way for states to deploy Albert sensors to election vendors,” Keith Ingram, Texas’ elections director and NASED’s president, said in a press release. “Their work with the vendor, DHS and the EI-ISAC to implement a virtual Albert sensor is a prime example of the kinds of collaboration that state election officials are undertaking to secure our elections.”

CIS’s engineers said they expect to build more virtual sensors, especially as demand for the Albert platform grows in the run-up to the 2020 election. Several states’ top election officials, including New Jersey and Louisiana, are in the process of equipping all of their individual county election authorities with Albert systems before next year.

“We’re expecting to grow the fleet of sensors by more than 50 percent in the second half of this year,” said Justin Burr, a CIS engineering manager.

The creation of a non-physical sensor helps CIS to keep up with its customers’ demand as more of them pursue virtualization, Burr said. CIS migrated to Amazon Web Services in late 2017 after maxing out its on-site data center in late 2017. The organization has credited that move with greatly expanding its data-collection ability and the speed at which it can research cyberthreats against the government networks it supports.

“As more agencies are moving into the cloud, we’re making sure Albert’s fully able to support that going forward,” Burr said.