This midterm election, a steady flow of headlines and heated controversy focused not on political leanings or flipping seats (at least directly), but rather on the security and integrity of the voting process itself.
Russian interference in the 2016 election and increasing awareness of the vulnerability to hackers of virtually any computerized system led to a scramble for U.S. election officials to attempt to secure outdated, unreliable voting information systems and to provide some semblance of reassurance to voters that the representatives chosen to preside over the levers of power were legitimately elected in a transparent way.
It's not known yet if these efforts to secure the electoral process worked, but in the mean time there are some takeaways for any organization struggling to define cyber security policies and protect itself from cyberattack.
Here are three lessons from the 2018 midterm elections.
The outcomes of more than one midterm election will very likely enter the history books with an asterisk. In Georgia, Secretary of State Brian Kemp's responsibility for overseeing the election process and his refusal to recuse himself (or resign while he ran for governor) created a conflict of interest.
Add state-wide reports of technical glitches and errors with the least cyber-secure variety of voting machine (direct recording electronic voting machines have no paper trail) and Kemp's own unsubstantiated accusations of Democratic hacking of the voter database, and it's likely that a sizable portion of the population will view either outcome as being illegitimate.
In other words, voters won't believe the election was fair and accurate. Election integrity depends on voter confidence, which in turn depends on competent election security.
The lesson here for companies is straightforward: demand independent vetting of your security. Employees from the mailroom to the C-Suite often fall prey to a false sense of security because there hasn't been a hack yet. Lax standards creep in for the sake of convenience, and a compromise becomes a matter of time. If you doubt it, consider the recent Chubb survey, which found a 930% increase in cyber insurance claims filed by businesses alongside this: 75% of respondents believing that their companies had "excellent" or "good" cybersecurity practices.
It's optimistic to think a company can reliably self-assess when presented with an obvious conflict of interest: keeping the trains running on time makes track repairs difficult to schedule.
Effective cybersecurity requires money, time, and training, all of which can easily be avoided by lowering standards and declaring existing systems to be "good enough." Testing by external security companies often provides more reliable, accurate assessments of just how well-protected your organization actually is, and in the long run it's cheaper. The average cost of a breach last year was $3.62 million.
Planning Ahead and Acting Quickly
Evidence of foreign interference in the 2016 elections should have been met with a rapid response. Our elections underpin the entire system of government in the United States, and its legitimacy is essential to the proper evolution of what Alexis de Tocqueville called "the great democratic experiment."
Instead, the federal government provided $380 million to states to update their election security as part of a budget passed on March 27th 2018, less than eight months before the 2018 elections. It was better than nothing, but still inadequate: just over half of the budget was handed over to a little over half the states. The Senate itself voted to not allocate further funds to election security in August of 2018. Not impressive.
"In some ways, the United States has broadcast to the world that it doesn't take these issues seriously," said former Facebook security chief Alex Stamos on the subject, declaring the efforts to be too little and too late to secure the 2018 elections.
Here's your take-away: Don't do cybersecurity at your company the way the United States does election security.
Hacking and data breaches should be regarded as an "all hands on deck" threat. Businesses need to be great when it comes to breach response times. Too many businesses have yet to learn the lesson, resulting in mitigatable if not avoidable damage to both themselves and their customers.
Security as Ecosystem
Russian troll farms and state-sponsored hacks of state and county voter rolls show that election security isn't limited to voting machines, but rather what Jason Casey calls the election ecosystem, which includes "state actors and the actual voter base along with think tanks, super PACs, political parties, election officials, lobbyists, and other invested groups."
Threats to election security aren't limited to voting machines, and limiting awareness of election security to the topic of voting machines is beyond dangerous. There is a broader attack surface including everything from social media and disinformation campaigns to insecure networks and an individual county's email systems.
Attackable surface is an issue that should be considered mission critical in business, too. In an era of remote and distributed workers, Bring Your Own Device (BYOD) offices, and increasingly widespread and sophisticated supply chains, focusing security efforts on local equipment and computers will no longer suffice.
A malware-ridden mobile phone, a disgruntled former employee, a careless click on an email, or a compromised vendor each present potentially enterprise-killing (or at least enterprise maiming) entry points for hackers. In much the same way that Facebook became an unexpected attack vector for elections (outside the Facebook c-suite), businesses now need to have an awareness of each and every potential point of entry for their networks, and secure them wherever possible.
We all have a lot of catching up to do when it comes to cybersecurity. Attacks from hostile governments can come by way of a Facebook ad or a sophisticated hacking campaign; both business and government alike need to learn from one another's mistakes to be safe from the legion forces out there looking to storm the gates.