Small governments seem to be stuck between a rock and several hard places.
Small governments (counties, towns) don’t have the resources of state governments and typically have to stay on budget unlike the federal government. These small governments are targeted with the same malware attacks that businesses face but likely are less agile and have less internal resources to address these risks. If this situation was not bad enough, elections put information security in the spotlight and anyone running election services and equipment will have a big “hack me” target on their back.
The State of Ohio released a series of requirements this year for each county’s board of elections that sets requirements and provides tools and services from the Department of Homeland Security (DHS). It is nice that along with the requirements, the state (through DHS) is providing tools and guidance to meet Center for Internet Security (CIS) standards. If the county needs help beyond what DHS provides, $50,000 grants might be available.
Looking over Ohio’s program through documents released by Frank LaRose (Secretary of State), I believe the controls seem well planned and comprehensive with one exception. The program concentrates on the important aspects of risk analysis, testing, and standards, but training is hardly mentioned.
I suspect this is related to the fact that a search for “Security Awareness” on the Center for Internet Security’s website yields very little content especially from their 2017 and 2018 newsletters. The newest newsletter from CIS to have Security Awareness as a topic is apparently from September 2018. The state of Ohio’s guidelines for training are in the Technical Security Document which has been excluded from public disclosure (R.C. 149.33).
There is cause for great concern when a state’s election security measures does not include well designed and implemented Security Awareness training.
Security Awareness is the principle means of defending against attacks known as Social Engineering. Social Engineering attacks go AROUND the means of defense outlined in what we know of the infrastructure requirements outlined in Ohio’s Secretary of State Directive. The requirements do state that once a year there must be training on “cybersecurity and physical security” but what this training includes, how many hours of training are required for various roles and what skills must be acquired are not spelled out. On infrastructure topics the directive is reasonably detailed calling out defenses against Distributed Denial of Service Attacks, use of PKI certificates, Office 365 tools and others.
To ramp up infrastructure security and pass off Security Awareness training as a ‘check box’ is like fortifying your front door with battleship armor and guns then leaving your back door open with a sign that says “Evil Hackers Welcome Here”.
About the most that is offered from the CIS initiative website are free Security Awareness Week posters from 2018.
The CIS website tools are not the only ones provided to small governments that seem to mostly ignore Security Awareness training. The Global Cyber Alliance (GCA) free toolkit for governments is designed to help stop election system hacking and has many dozens of videos and tools, but only a couple on security awareness topics. The videos I watched from this toolkit were not updated to current NIST recommendations on password security.
Security Awareness training is critical for protecting against social engineering attacks such as Ransomware and attacks through workers’ personal devices that are not protected by the state or local government infrastructure.
The U.S. Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year. 
More than 63% of experienced security experts believe that a successful cyberattack will happen in the next U.S. election, citing methods primarily addressed in Security Awareness training as the means of attack (Social Media and high-risk worker behaviors). 
Security Awareness is the best bang for the buck in the realm of modern security defense and also a critical component that becomes more critical every day. Sadly, many security initiatives lag behind and still over-focus on physical and software security leaving out the very workers that use these tools.
It is my hope that local governments will go beyond thinking that simple phishing exercises constitute security awareness training. To protect our election systems we need both firewalls AND workers that know how to spot a con, recognize a threat and take the appropriate action. In addition to this, security awareness programs will need to address remediation, social networking, mobile/personal devices and modern NIST password guidelines.
If you are a decision maker in a local government please consider contacting a security awareness expert fluent in adult learning and program design. The effort might be covered in part by grants. Your desire for due diligence is a worthy goal.
“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.” -Kevin Mitnick
CADRE CAN HELP
Cadre has been helping several counties with their security posture with new Firewalls, Network Assessments, Multi-Factor Authentication, Network Access Control and Security Awareness Training. There are many IT Security Services that the State of Ohio and other states are offering their counties for free. For those services and products that are not offered, we can help.
The value we bring to the table is our years of experience of only selling IT Security best-of-breed products and services. We are interested in helping our clients feel secure about the tools they have in place today and making sure new purchases are the right solution to protect sensitive information and prevent unauthorized access to their network and election systems.
Please reach out if you'd like more information. We have some great references!