Change Noah Praetz In Slide Master DHS Color Palette Per OPA RGB Colors Use Arial Font For All Text 2 Noah Praetz Former Director of Elections Cook County IL CoChair Federal Response Efforts ID: 809886
Download The PPT/PDF document "CISA Election SECURITY 101" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Slide2CISA Election SECURITY 101
Change Noah Praetz
In Slide Master
DHS Color Palette Per OPA RGB Colors
Use Arial Font For All Text
2
Slide3Noah Praetz
Former Director of Elections, Cook County, IL
Co-Chair Federal Response Efforts
Senior Election Security Advisor, Cybersecurity & Infrastructure Security Agency (CISA), within DHS
Argonne National Labs & University of Chicago Cyber Policy Institute
Teach Election Law Course at DePaul University College of Law as Adjunct Professor
Advisory Board Member, Cyber Policy Initiative, University of Chicago
Election Security
Managing Risks & Building Resilience
#Protect2020
Slide4Election Inflection Points
2000 & 2016
Foreign Activities – Hybrid Threats – “Sweeping and systematic”
Information & Infrastructure
Federal, State, Local
Cook & Illinois
“2020 Vision” White paper – Key’s – “Defend, Detect, Recover”
Cyber Navigators
Election Security
Risks & Resilience
#Protect2020
Slide5“Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
16 Sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials and Waste; Transportation Systems; and Water and Wastewater Systems. Authorities: Patriot Act, (Sec. 1016(e)); Department of Homeland Security, National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience; Presidential Decision Directive 63, 199; Homeland Security Act of 2002, 6 U.S.C. § 131.See https://www.eac.gov/assets/1/6/starting_point_us_election_systems_as_Critical_Infrastructure.pdfElections Systems: Designated Critical Infrastructure
5
Slide6The 2017 designation of election infrastructure as critical infrastructure provides a basis for the Department of Homeland Security and other federal agencies to:
Recognize the importance of these systems;Prioritize services and support to enhancing security for election infrastructure;Provide the elections community with the opportunity to work with each other, the Federal Government, and through the Coordinating Councils; Hold anyone who attacks these systems responsible for violating international norms.Elections Systems: Designated Critical Infrastructure
6
Slide7Federal, state, and local government partners formed the Election Infrastructure Subsector GCC (EIS-GCC) and met for the first time in Atlanta in October 2017
The formation of the EIS-GCC was a milestone in multi-level government cooperation that bolstered election infrastructure security and resilience. The EIS-GCC: Enables partners to leverage information sharing, cybersecurity and physical security products, resources, capabilities, and collective expertise.Consists of 27 members, 24 of which are state and local election officials. Is led by a five-member Executive Committee which meets biweekly (DHS/CISA; EAC; a Secretary of State; a state Election Director; and a local Election Director).Adopted a Subsector Specific Plan in 2018. Subsector priorities for 2019-2020 were approved on February 1, 2019.Election Infrastructure Subsector Government Coordinating Council
7
Slide8Private sector stakeholders formed the Election Infrastructure Subsector Coordinating Council (EISCC) and met for the first time in February 2018
The EISCC:Is led by a five-member Executive Committee.Serves as the primary liaison between the private sector and government on election infrastructure security. Facilitates information and intelligence sharing. Coordinates with DHS and the EIS-GCC to develop, recommend, and review subsector-wide plans and procedures.Established an action plan complete with goals and priorities in February 2019.Election Infrastructure Subsector Coordinating Council
8
Slide9Adversaries:
Nation-state actorsNon-state actorsCyber criminals motivated by financial gainTargets:Voter registration databasesVoting systemsElection reporting systemsStorage facilities and polling places Public confidence in the integrity of the electionElection officials and their familiesThreats to Election Infrastructure
9
Slide10The EI-ISAC is a dedicated resource that gathers, analyzes, and shares information on critical infrastructure and facilitates two-way cybersecurity threat information sharing between the public and the private sectors.
The EI-ISAC supports the election community through: 24 x 7 x 365 network monitoringElection-specific threat intelligenceThreat and vulnerability monitoringIncident response and remediationTraining sessions and webinarsPromotion of security best practicesJoin the Election Infrastructure ISAC
10
Slide11Positive Relationships – By the Numbers
11EI-ISAC Membership - 155450 states and 4 territories1476 local election offices7 associations
14 election vendors Albert Sensors - 14047 states and 1 territory 92 local election offices
States with a High Level of Local EI-ISAC Membership
Slide12Election Infrastructure Security – Adoption of Services
43 States have utilized at least one DHS cybersecurity service 30 States have utilized at least two DHS cybersecurity services 14 states have utilized three or more DHS cybersecurity services 6 states have leveraged five or more DHS cybersecurity services 12
SERVICE
Total
Cyber Resilience Review (CRR)
24
External Dependencies Management Assessment
18
Cyber Infrastructure Survey (CIS)
19Cyber Hygiene Scanning (CyHy)
150
Hunt
25
Risk and Vulnerability Assessment (RVA)
40
Remote Penetration Testing (RPT)
25
Phishing Campaign Assessment (PCA)
10
Election-related
Exercises
32
Services updated 4/2/2019
Slide13Establishment of the EI-ISAC
In February 2018, the EIS-GCC established the EI-ISAC, which is now the fastest growing ISAC ever.Funding Consideration DocumentIn May 2018, the EIS-GCC released a guidance document with potential short- and long-term funding considerations to support elections officials making decisions on how they could use newly available funding to help secure election infrastructure.Communications ProtocolsIn July 2018, the EIS-GCC issued a set of voluntary Communications Protocols to improve the efficiency and effectiveness of information sharing between election stakeholders.Progress in the 2018 Election Cycle
13
New Trainings and Assessments
Driven by feedback from election officials, DHS now offers Remote Penetration Testing as well as “The Election Official as IT Manager” online course. National-level Election Security Tabletop ExerciseIn August 2018, DHS hosted a three day tabletop exercise with 44 states, the District of Columbia, and 10 Federal agencies.Classified BriefingsDHS partnered with the Intelligence Community to share classified information on several occasions, pushing more threat information to this subsector than ever before. The most recent classified briefing was in February 2019.Election Day Situation RoomOn Election Day, DHS hosted the National Cybersecurity Situational Awareness Room. This online portal for election officials and vendors facilitated rapid information sharing and provided election officials with virtual access to the 24/7 operational watch floor of the NCCIC.
Slide14The Cybersecurity and Infrastructure Security Agency (CISA), part of DHS, is working with EAC, NASS, NASED, Election Center, iGO, and others, to support with preparation for the 2020 presidential election year.
DHS Election Security Mission: To support the election community with information and resources necessary to secure the infrastructure and America’s confidence in it.
We focus on three broad issue areas that need addressing in face of hybrid efforts from adversaries.
1
Provide election officials with risk information & services to aid risk management decisions.
2
Provide the public and election partners with information to help counter foreign influence.
3
Provide political parties with risk information & services to aid risk management.
Election Security
Risks & Resilience
#Protect2020
Slide15DHS’s priorities are bucketed into six main categories and they align with those of the GCC:
P1: Increase local support and engagement
P2: Increase awareness about risks associated with failing to invest in elections
P3: Continue difficult risk conversations
P4: Enhance and expand communications
P5: Promote risk management practices for political parties and campaigns
P6: Further the discussion around recognizing and countering foreign influence efforts
Election Security
Risks & Risilience
#Protect2020
Slide16For our election infrastructure priorities we are leaning in at the
local
level with three prong message leading into 2020 and beyond.
Share
Assess
Improve
Election Security
Risks & Risilience
#Protect2020
Slide17Share
Assess
Mature
Share Information
Within the Election Sector
Get locals into the ISAC & build direct communication channels *
Inform states/locals on available federal, state, NGO, and private resources *
Distribute & practice information sharing according to protocols *
Engage on checklists, recommendations and other “Last Mile Products”
*
Election Security
Risks & Resilience
#Protect2020
Slide18Share
Assess
Mature
Share Information
With External Stakeholders
Engage state and local government support groups like NGA, NCSL, and NaCO (P1)
Promote cyber-security awareness and future support by engaging candidates and parties (future leaders) through outreach & sharing of information on available services focused on risk management practices (P2, P5, P6)
Prepare the public and campaigns to help defend elections from disinformation attacks – Countering Foreign Influence (P1, P4)
Election Security
Risks & Resilience
#Protect2020
Slide19Share
Assess
Mature
Share Resources & Support
Optimize Governance
Consider state level standing working groups of security, law enforcement, and election officials at all levels (P1, P2, P3, P4, P5, P6)
Assist locals in acquiring human and financial support from available federal, state, NGO, and private entities (P1, P2)
Supply training to states/locals with focus on security measured by defenses, breach techniques (audits) and recovery (resilience) (P1, P2, P3, P4, P5, P6)
Election Security
Risks & Resilience
#Protect2020
Slide20Share
Assess
Mature
Share Information
Share Intelligence
Assist locals in gathering & sharing network traffic data from Albert Sensors or log files (P1, P2, P3)
Assist locals in developing some behavioral analysis norms, developing or instituting measurements, and then sharing those and intel (P1, P2, P3)
Ensure locals are all sharing information up to the state level on phishing-type attacks as well as complying with the sharing protocols (P3, P4)
Election Security
Risks & Resilience
#Protect2020
Slide21We are leaning in at the
local
level with three prong message leading into 2020 and beyond.
Share
Assess
Improve
Election Security
Risks & Resilience
#Protect2020
Slide22Assess
Assess
Mature
Assess
Assess infrastructure security to determine the state and local posture and priorities
Considering adopting an accepted cyber-security management framework like the CIS20 Controls or the NIST Framework (CIS has a handbook to consider, GCC working on NIST)
Identify specific security gaps and remediation needs (DHS services like Cyber Hygiene & Remote Pen Testing can help)
Identify the resources necessary to fund remediation efforts and close security gaps (Specifics help funders understand the specific risks that are in play)
Help locals formulate a security progress plan (Post assessment its important to map out progress)
Election Security
Risks & Resilience
#Protect2020
Slide23Assess
Assess
Mature
Election Security
Risks & Resilience
#Protect2020
Assess
Assess the legal and policy frameworks
Work with standing security committee to determine if alterations to state law and/or policy could result in a more sustainable election security environment (P1, P2, P3, P6)
Help locals review their own policy decisions and compliance efforts to determine whether any alterations could result in a more sustainable election security environment (P1, P2, P3, P6)
Slide24Assess
Assess
Mature
Election Security
Risks & Resilience
#Protect2020
Assess
Assess the vulnerability disclosure policies and remediation requirements
Work with standing security committee to determine if state might develop a policy to help close the gap between identification and mitigation (P1, P2, P3, P6)
Help locals engage on vulnerabilities and remediation to help move the market towards quick mitigation (P1, P2, P3, P6)
Slide25Vulnerability Scanning
A scanning of internet-accessible systems for known vulnerabilities on a continual basis. As potential issues are identified, DHS notifies impacted customers so they may proactively mitigate risks to their systems prior to exploitation. Conducted remotely and fully automated. Remote Penetration Testing Utilizes a dedicated remote team to assess and identify vulnerabilities and work with customers to eliminate exploitable pathways. The assessment simulates the tactics and techniques of malicious adversaries and tests centralized data repositories, externally accessible assets, and web applications. Phishing Campaign AssessmentMeasures the susceptibility of an organization’s staff to social engineering attacks, specifically email phishing attacks. The assessment takes place during a six-week period. An assessment report is provided two weeks after its conclusion. The assessment report provides guidance, measures effectiveness, and justifies resources needed to defend against and increase staff training and awareness of generic phishing and spear-phishing attacks.DHS Resources for State and Local Election Officials
25
Slide26We are leaning in at the
local
level with three prong message leading into 2020 and beyond.
Share
Assess
improve
Election Security
Risks & Resilience
#Protect2020
Slide27Election Security
Risks & Resilience #Protect2020
Improve
Assess
Mature
Mature
Manage election infrastructure with sustainable security as a fundamental requirement
Evaluate state & local election policy and purchasing decisions with infrastructure security implications at top of mind (P3, P6)
Help locals drive industry innovation and security compliance by assisting with procurement requirements focusing on “security by design” (CIS released a procurement guide)
Consider building a list of trusted service providers so locals can avoid the work or mistakes that can come in this low regulation area (P3, P6)
Slide28Election Security
Risks & Resilience #Protect2020
Improve
Assess
Mature
Improve
Move external communications with Candidate and Voter Behavior top of mind
Ensure stakeholders and future and current leaders using election services are aware of the effects of spreading “disinformation” & that they understand Foreign Influence Efforts (P1, P2, P5, P6)
Ensure stakeholders and future and current leaders are aware of the risks to election infrastructure, an importantly of the fall back procedures that ensure resiliency (P1, P2, P5, P6)
Slide29Election Security
Risks & Resilience #Protect2020
Improve
Assess
Mature
Improve
Advocate for resources needed to improve election security
Engage federal, state & local government stakeholders about current state of security and the resources and changes necessary to ensure a more sustainable and more secure future (P1, P2, P3, P6)
Engage public stakeholders and candidates and political parties (future leaders) about the current state of security and the resources and changes necessary to ensure a more sustainable, more secure future (P1, P2, P5, P6)
Slide30Election Security
Risks & Resilience #Protect2020
Improve
Assess
Mature
Mature
Help locals deploy a security progress plan
After completing the assessments ensure that locals are planning and budgeting for the progress on the next round of risk assessments (P1, P2, P3, P6)
Slide31The Security Loop
Share
Assess
Mature
Election Security
Risks & Resilience
#Protect2020
Slide32Establishment of the EI-ISAC
In February 2018, the EIS-GCC established the EI-ISAC, which is now the fastest growing ISAC ever.Funding Consideration DocumentIn May 2018, the EIS-GCC released a guidance document with potential short- and long-term funding considerations to support elections officials making decisions on how they could use newly available funding to help secure election infrastructure.Communications ProtocolsIn July 2018, the EIS-GCC issued a set of voluntary Communications Protocols to improve the efficiency and effectiveness of information sharing between election stakeholders.Progress in the 2018 Election Cycle
32
New Trainings and Assessments
Driven by feedback from election officials, DHS now offers Remote Penetration Testing as well as “The Election Official as IT Manager” online course. National-level Election Security Tabletop ExerciseIn August 2018, DHS hosted a three day tabletop exercise with 44 states, the District of Columbia, and 10 Federal agencies.Classified BriefingsDHS partnered with the Intelligence Community to share classified information on several occasions, pushing more threat information to this subsector than ever before. The most recent classified briefing was in February 2019.Election Day Situation RoomOn Election Day, DHS hosted the National Cybersecurity Situational Awareness Room. This online portal for election officials and vendors facilitated rapid information sharing and provided election officials with virtual access to the 24/7 operational watch floor of the NCCIC.
Slide33Top Recommendations Provided Across All EI Assessments
Mitigate Internet Vulnerabilities in a timely manner Recommend that EI Subsector entity managers mitigate all internet-accessible high and critical severity level vulnerabilities within 30 days. Vulnerabilities with lower severity levels should be reviewed and either mitigated, or the associated risk formally accepted, within 60 days. Strengthen Password Policy and Auditing Processes Recommend the use of multi-factor password technology. Entities should perform regular audits of their password policy. Password best practices include ensuring that default passwords are never used in production, that strong passwords are required and used, and that administrators use encrypted password vaults. Implement Network Segmentation
Internal network architecture should protect and control access to the entity’s most sensitive systems. Recommend that user workstations should be less trusted and connections to external networks should be isolated, controlled, and monitored. Follow Cybersecurity Best Practices EI Subsector entities should follow established enterprise network best practices for IT infrastructure, including the implementation of a strong patching methodology for operating systems and third-party products. Replace Unmaintainable Equipment All EI Subsector equipment should be maintainable with current security patching. Exceptions should be minimized and isolated.
33
Slide3434
Noah Praetz
Senior Election Security Advisor
Department of Homeland Securitynoah@praetzconsulting.com
CISA Election Security 101
Slide35DHS Countering foreign interference overview
Change Presenter’s Name
In Slide Master
DHS Color Palette Per OPA RGB Colors
Use Arial Font For All Text
35
Slide36What is Foreign Interference
Case StudiesWhat Can DHS Do?Agenda
36
Slide37What is Foreign Interference?
37
Slide38Goals of Election Interference
38
Source: “Cyber Threats to Canada’s Democratic Process,” Canada Centre for Cyber Security
Slide39Spreading Disinfo Before and After Social Media
39
Source: “A View from the Digital Trenches: Lessons from Year One of Hamilton 68,” Bret Schafer, 2018
Slide40Case studies
40
Slide41Breaking Down Information Operations
41
Slide42Case Study: Louisiana Chemical Attack -- Russia
42
Goal
: Undetermined. Breadth of techniques used on a limited scale could indicate testing in U.S. Access to cell phone numbers in local area
Established social media accounts and botsDeveloped targeted media and key influencers listContent developed includes:Fake surveillance camera footageDoctored images of flames engulfing plantFake YouTube video showing ISIS claiming responsibility
Wikipedia page contentDoctored CNN webpage showing disaster had made national newsText messages and social media messagingText messages to local residentsHundreds of Twitter accounts posting about “disaster” using hashtag #
ColumbianChemicals and doctored images/videosTweets targeting reporters at local and national media – New Orleans Times-Picayune, CNN, and NYTTweets targeting political commentators
Source: “The Agency,” Adrian Chen, New York Times Magazine
Slide43Case Study: U.S. Energy Markets -- Russia
43
Goal
: Disrupt U.S. energy markets to reduce competition to Russian energy
Clear understanding of U.S. and global energy markets.Knowledge of U.S. energy companies and environmental groups.Understanding of Dakota Access Pipeline and related controversy.
Developed memes to stoke passions around issue.Targeted US energy companies, particularly with messaging around profits.Messaging advocated abandonment of specific fuel sources.Exaggerated claims of impact of renewable energy sources (e.g. Iowa clean energy effort).Took both sides of climate change and drilling issues.
RT ran anti-Fracking stories that highlighted environmental and health issues.Pushed messaging through unwitting US environmental groups and activists.Pushed people to sign petitions aimed at stopping Dakota Access, Sabal Trail, and Enbridge Line 5 pipelines.
Source: “US House of Representatives Committee on Science, Space and Technology Majority Staff Report on “Russian Attempts to Influence US Domestic Energy Markets by Exploiting Social Media”
Slide44Case Study: New Zealand -- China
44
Goal
: Promote China friendly policy.
Established state agencies focused on managing overseas agenda, to include influence. Integrated approach.
Establish and support community organizations in New Zealand – generally organized along place of origin, professional lines of work, or special interest type groupsWork done through embassies and consulatesChinese state media.Content cooperation agreements with local media outletsFormed China-centered economic and strategic bloc
Monitor local Chinese community via community organizations
Monitor ethnic Chinese political figuresSupport and monitor Chinese language news and schoolsCensor ethnic Chinese discussion of political issues in New Zealand
Work with “patriotic” business people, also known as ‘Red Capitalists’Use Chinese Student and Scholar Association to “guide” students and scholars.Leverage business and economic organizations to influence NZ policyEncourage political activism in New Zealand
Push messaging through community organizations, such as the “Peaceful Reunification of China Association of New Zealand,” which engages in a range of activities including block-voting and fund raising for ethnic Chinese political candidates
Ethnic Chinese political leaders in New Zealand come under pressure from China to support China’s goals, not many do not get cooptedLeverage former political leaders to push policy, often receiving positions in Chinese businessesSeek to prevent criticism of China policy from being published in media and academic journalsOrganize protests against Chinese criticsOrganize meeting of New Zealand politicians and Chinese community issues to discuss issues of importance to China, such as reunification.
Encouraging political donations to major parties, a large number of donors are affiliated with Chinese organizations
Source: Brady, Anne-Marie, “Magic Weapons: China’s Political Influence Activities Under Xi Jinping,” Wilson Center
Slide45What Can DHS Do?
45
Slide46DHS Role in Countering Foreign Influence
46
Build National Resilience to Foreign Influence OperationsPartner engagementPublic awareness and educationOperational SupportIncident Reporting
Slide47What Should Owners and Operators Know?
47
Understand the RiskSecure SystemsSecure Social Media AccountsDon’t Amplify DisinformationThink Before You Link
Know Your SourceKeep Emotions in CheckPositive, Factual Messages OnlyReport IncidentsTalk to Employees
Slide48CFITF Can Help
48
Let Us Know What You NeedProducts and BriefingsIncident Response Reporting
Slide4949
DHS Countering Foreign Influence Task Force
Brian ScullyCFITF DirectorDepartment of Homeland SecurityBrian.Scully1@hq.dhs.govPhone: 202-450-8046
Slide50Source: “Russian Attempts to Influence U.S. Domestic Energy Markets by Exploiting Social Media,” House Committee on Science, Space, and Tech, 2018
50