Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity in Elections Infrastructure: Risks and Mitigations

Published byDevi Susanto Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybersecurity in Elections Infrastructure: Risks and Mitigations"— Presentation transcript:

1 Cybersecurity in Elections Infrastructure: Risks and Mitigations
Dr. Michael Garcia, Director of Elections Best Practices 14 June 2018

2 A word about CIS CIS is a technical organization
Address the how over the what Backed up by experience and resources CIS history and programs underpin best practices and recommendations Focused on the entire ecosystem Looks at – and provides best practices – from start to finish

3 Center for Internet Security

4 The threat environment
There have always been threats to elections There’s been a steady progression toward IT-related attacks over the last two decades 2016: a more concerted effort, but just an increase in what had already been occurring

5 Motivation Attackers have one or more goals
Information theft, espionage, sabotage Sabotage: destruction, defamation, or blackmail of targets Motivation can be BOTH changing votes AND reputation damage to democracy itself In cybersecurity, risks drive investments Must assess risk and keep a broad view Adversaries will look for a weakness anywhere; so must we strengthen defenses everywhere

6 A Handbook for Elections Infrastructure Security
View and download at: Order free hardcopies at:

7 The starting point The most substantial risks are to components that have network connections For cybersecurity folks, this puts us in known waters Bigger than paper ballots or RLAs Jumping on a moving train means continual improvement Constrained resources means mitigating risk at the margin Focus on the best way to spend the next dollar, regardless of where it is

8 Handbook Structure Three parts Introduction of elections and risk
An architecture of elections systems and their risks Technical best practices Includes recommendations on contracting and procurement, auditing, and incident planning Contains 88 best practices in the form of security controls

9 Part 1: Introduction Typical stuff: scope, audience, environment
Also info about conducting a risk assessment Introduces three classes of connectivity Network connected systems Indirectly connected systems Systems that are not connected Bonus! Transmission risks

10 Part 2: Architecture and Risk
Generalized architecture Describe each component, its risks, and its connectedness

11 Part 3: Mitigating Risk Summarize and mitigate risks
Best practices have Asset class: device, process, software, user Priority: high, medium Known security controls Estimates of Potential resistance, upfront cost, ongoing maintenance cost Resources to help implementation Links to online resources, NIST guidance, tools

12 Possible uses of the handbook
Using as a baseline in developing training and assessment tools Drawing connections between non-technical understanding of risk and technical approaches to mitigation Prioritizing additional security work Showing how investments have been used and future investment will be used Conducting an assessment of current practices

13 What’s next? Self-assessment tool against handbook
Pilot phase underway, full launch in July Training for independent assessors In early development, hoping to begin training in fall Procurement guidebook Based on handbook, provides sound approaches to procurement as well as model contract clauses

14 Thank you! Mike Garcia Mike.Garcia@cisecurity.org

Download ppt "Cybersecurity in Elections Infrastructure: Risks and Mitigations"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Khammar Mrabit Director Office of Nuclear Security

Khammar Mrabit Director Office of Nuclear Security
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
OHIO OFFICE OF INFORMATION TECHNOLOGY. Even the agents are suffering…

OHIO OFFICE OF INFORMATION TECHNOLOGY. Even the agents are suffering…
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
CBP Website Redesign Geography Summit May 29, 2007.

CBP Website Redesign Geography Summit May 29, 2007.
The Evergreen, Background, Methodology and IT Service Management Model

The Evergreen, Background, Methodology and IT Service Management Model
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Thursday, January 23, 2014 10:00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Similar presentations

Ads by Google