How to Secure Elections for Municipality, State Clients

MSSPs that serve local and state government IT and agencies will be pressured to step up their security game to protect upcoming elections.

2020 is a presidential election year so that means turnout will likely be high further stressing MSSP capabilities. Fortunately, there is additional budget available in many state and local agencies to help secure elections. How that money is spent is based on the government’s security strategy which is often crafted with the help of a MSSP.

Workforce talent gaps are prevalent, especially in cybersecurity, so be sure to allow for that in the security plan. Simone Petrella, former CISO and CEO of Washington, D.C.-based cybersecurity training firm CyberVista, says “the focus needs to be not only on technologies but the humans at the forefront of the fight.”

CyberVista’s Simone Petrella

Prior to becoming CEO at CyberVista, Petrella was a senior associate at Booz Allen Hamilton. She spent over a decade there building the firm’s cybersecurity practice in the commercial, national security and Defense sectors. On the commercial side, she focused on creating cyberfusion centers and integrating cyberthreat intelligence, security operations, and cyberdefense operations. On the public sector side, she built out a threat capability and team with deep subject-matter expertise in all aspects of cyberthreat intelligence, including intelligence support to both defensive and offensive operations.

We asked Patrella to share her insights on what municipalities and states need to secure their elections so that governments can better mitigate threats and so MSSPs can better plan their sales pitches and client strategies.

Channel Futures’ MSSP Insider: What are the essentials that municipality election workers and IT teams need to secure local elections?

Simone Patrella: Local municipality IT teams tasked with setting up the infrastructure to process these communications must now do so with the mindset that what they are putting in place will be inherently vulnerable. Election workers and IT teams need to 1) identify the type of electronic machines they are using and understand their respective risks; 2) evaluate these decisions through the lens of what an adversary might target, whether that’s a database of voter records or the election results themselves; and 3) identify risk mitigating controls that ensure election results tallied by machines accurately reflect the will of the voters.

In a world where security is everyone’s responsibility, election security extends to the onsite workers too. Much like the executive teams and risk managers that we work with, they first need to understand the impact of a potential compromise. As a result, they need to be vigilant to watch out for hackers attempting to physically tamper with or alter machines.

CFMI: What cybersecurity retooling and training is needed before major events like elections?

SP: In many ways, voting is the ultimate intersection of democracy, technology and security. Given its importance to the entire electoral process, states and municipalities that oversee the voting process must take a long-term and persistent approach to cybersecurity.

For example, election and local officials must evaluate the supply chains of possible electronic voting machines in order to understand the many potential ways an adversary may disrupt a device. The one constant in facing changing threats is your cybertalent. Take a long-term approach by training and upskilling your employees as investments in overall security. You certainly don’t want to wait until after an event to focus on training.

CFMI: What resources are needed to arm local entities to protect elections and thwart threats like ransomware attacks?

SP: Local municipalities must first understand what threats they are most likely to see from an attack perspective and from the vulnerabilities within their own system. Once they have assessed their risks, they can begin mitigation.

In terms of resources, most of the required controls do require an investment in dollars, time and effort. Local entities can start with increasing their knowledge and training around potential threats. Then they need the ability to scan and test their own security within the networks and devices they are connected to. Once they have identified the critical vulnerabilities, they need access to the resources to remediate those vulnerabilities.