CIA: The ABCs of Cybersecurity
What does the CIA have to do with your Voter Registration System?
Don’t panic, in this context, CIA actually refers to Confidentiality, Integrity, and Availability, not the Central Intelligence Agency! The CIA triad is one of the most fundamental concepts of cyber security. In fact, most security measures exist to protect one or more of its three facets.
In 2017, Allianz declared ‘cyber incidents’—a category that includes cyber crime, IT failure and data breaches—the No. 3 overall risk facing global businesses in its annual Risk Barometer, a study that draws from the insight of 1,200+ risk experts from over 50 countries.
As you can see in the chart below, cyber incidents have become an increasing concern in recent years:
Now more than ever, guarding against security threats is vital in any mission-critical industry, and an understanding of CIA principles will help election administrators protect their systems and data. In this post I will be giving a high-level overview of the CIA triad and highlighting some security best practices that will ensure the Confidentiality, Integrity, and Availability of your voter registration system.
Confidentiality is the requirement that private or confidential information is restricted to authorized parties only. To keep sensitive voter registration information private, below are some of the most effective data protection practices available:
- Encrypting Data In Transit – Data in transit refers to data moving from one network to another. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are technologies used to keep an internet connection secure and safeguard sensitive data. SSL and TLS ensure that any data transferred between users and sites or between two systems remains impossible to read.
- When a website is secured by a SSL or TLS certificate, HTTPS (Hypertext Transfer Protocol Secure) will appear in the URL
- Encrypting Data at Rest – Data at rest refers to data that resides on a hard drive, flash drive, laptop, or is archived in some other way. Perimeter-based defenses such as firewalls and antivirus programs are effective, but not impenetrable. Encrypting hard drives and storing data in discrete locations will add additional layers of security in the event that your network is compromised.
- 2FA – Two-Factor Authentication (2FA) adds an additional layer of security by requiring users to provide a second form of verification, in addition to a username and password, to access their account. Examples of second factors include:
- Possession Factors – fobs, ATM cards, or phones (delivered via SMS)
- Inherence Factors – fingerprint readers and retina scanners
- Process Security – simple, yet crucial, preventative security measures should be taken by all system users, which are covered in our blog post, 4 Human Errors that Threaten Cybersecurity.
Without integrity, you cannot trust your data. Integrity can be broken down in two ways:
- Data Integrity – information has not been modified, deleted, or corrupted accidentally or intentionally while in storage, during processing, or while in transit.
- System Integrity – the system has performed the intended function in an unimpaired manner, free from unauthorized manipulation.
Leveraging the following practices and technologies will make sure your voter registration system performs as intended and information is protected:
- Audit Logs – provide records of data that have been modified or deleted (and by whom), uncover potential fraudulent behavior, and alert system administrators to changes in system configurations or settings.
- Accountability – train staff members with system access on proper data entry and upload protocol and provide easy-to-understand documentation for reference.
- Role-based Permissions – allow system administrator to assign appropriate levels of access to users based on their training and role. Features and data are available on a need-to-have basis.
- Quality Assurance – make sure your voter registration system functions as intended with regular QA check-ups.
Availability is the ability for authorized users to access information and services whenever needed. In the context of elections, it is especially critical for systems to work promptly. When a system performs poorly or fails repeatedly, it hinders an administrator’s ability to perform key tasks and meet deadlines and will result in a loss of user confidence.
Some basics to keep in mind to ensure the availability of your voter registration platform include:
- Protection Against Distributed Denial of Service (DDoS) – for as little as $19, cyber vandals can purchase a DDoS-for-hire service (also known as “booters” or “scrapers”). Though DDoS attacks are illegal, this means anyone with a willingness to bring down a website or service can attempt to do so with relative ease.
- Backup Storage – having a backup of data in a separate geographic location is essential for safeguarding against data loss.
- Redundancy – High-Availability Clusters can also mitigate a disaster if hardware fails or data is comprised by an unauthorized party.
- Capacity Checks – proactively monitoring availability and system capacity ensures that your voter registration solution has the bandwidth needed to deliver data, storage space available to hold information, and election critical applications are running smoothly. Ping, Telnet, and SNMP are some commonly used technologies for availability monitoring.
And now that you know your ABCs, you are better equipped to safeguard the integrity of your system. As always if you need any advice or would like an analysis of your system, please contact us.
Voter Registration Vulnerability Assessment
Check to see if your jurisdiction and voter registration system are using the latest security standards and practices. This checklist will guide you through questions to analyze your application security, encryption, infrastructure, and process security.
To receive the free Voter Registration Vulnerability Assessment, complete the form below.