5 minute read
The Four Counties
a cyberattack incident. An incident response plan should include an incident containment process that minimizes the scale and scope of damage and should address issues such as malware, ransomware, denial of service, intrusion, information access, compromised data, insider threats, compromised accounts, loss of election systems, social engineering attack, or a data breach.
The Secretary of State suggests creating a continuity of operations plan (COOP) that considers how a cyberattack or other disaster would disrupt an election and explain fail-safes, backup processes and systems to keep critical functions operating if such an incident occurs.52
An election system security plan also provides explicit written protocols that safeguard election data on equipment from cyber threats and other disasters. This type of plan should define security controls that encompass the full scope of how election and IT systems support elections; include the complete range of election processes from registering voters to reporting results; outline how election equipment and systems are secured and stored; and include how voters interact with systems.53
The Secretary of State recommends that elections offices create a vendor risk management policy or a set of guidelines that ensure that third-party vendors are not introducing exploitable security gaps in their products. An ideal policy should request that vendors provide a copy of their EISP to evaluate the vendor’s security measures. Vendors should also allow periodic evaluation to promote transparency on how they protect information and systems. Using this policy, elections departments should also be able to document how the vendor will support the organization during execution of the COOP.
Collin County
In Collin County, only individuals with badge access are able to access certain areas within the Elections Department. Collin County’s facilities department is responsible for programing and coding badges, which controls who has badge entry access. Collin County’s system keeps a log of all entries to certain areas including the date, time,
52 The general custodian of election records shall create a contingency plan for addressing direct recording electronic voting machine failure. This plan must include the timely notification of the secretary of state. See Tex. Elec. Code § 129.056. 53 Election Security Best Practices Guide, Texas Secretary of State Elections Division, (April 2020), https://www.sos.state.tx.us/elections/forms/election-security-best-practices.pdf.
location, event description, and individual involved. Collin County provided this log for review. An event marked “forced” entry appeared in the report. “Forced” could appear if the door was held or the door has a push bar and the door was pushed from the bar and opened. The report only contained the single instance of a “forced” entry and it appears that a cleaning staff member attempted to gain access to the secure area and was denied.
Collin County provided FAD with their continuity of operations plan to review during an on-site visit to Collin County. The plan adequately set out procedures to follow in the event of an emergency and contained a protocol that included notifying the Secretary of State in the event of an emergency or disaster. Collin County noted they did not have any of the other plans from the Election Security Toolkit in place, but had been contracting with a vendor to do so.
Dallas County
During the 2020 General Election period, Dallas County normally operated with approximately 40-50 members of regular staff. In addition, they maintained between 700-800 temporary workers to assist with the election. Access to certain areas of the elections’ facility was restricted based on the category of workers through the use of badges. In 2020, the Elections Department requested that the County provide additional categories of workers in order to more carefully control who had access to certain areas. This request was denied and they were forced to use limited categories. This limitation resulted in the Elections Department moving forward with less categories than it believed was necessary given the sensitivity and nature of their operation. FAD was provided a copy of the door access matrix in use for the 2020 General Election which included categories of workers, restricted hours of access, and restrictions on locations to which workers had access.
Dallas County did not have any of the Secretary of State-recommended Election Security plans in place for 2020. They did internally discuss risks associated with outsourcing services to third parties and worked to reduce them. They dealt with and responded to cybersecurity threats without a plan, and they discussed the possibility of emergencies and how to handle an emergency if it occurred. Dallas County provided materials with checklists and risks to be aware of from national resources that they reviewed, but no formal written plan for Dallas County was in place in 2020. Dallas County also provided documentation regarding certain voting system security measures in place in 2020 by virtue of their voting equipment vendor, ES&S. Dallas County hoped to create a position for one individual who could address all of the security matters for the Elections Department in the future.
Dallas County has since contracted with a vendor to assist them with developing a security and emergency response plan.
Harris County
Harris County advised they did not believe they had a continuity of operations or emergency response plan in 2020 and would check on whether any of these plans existed. Harris County indicated the county had protections in place against cybersecurity threats. Harris County never provided this information.
Harris County has since contracted with a vendor to create a security plan and is in the process of exploring their options in creating a more robust security plan.
Tarrant County
Tarrant County maintains a checklist that assists them with ensuring only those with proper access may view certain documents and have access to certain areas. They were proactive about reviewing their records to ensure departed employees or staff do not retain access to restricted areas or information. In Tarrant County, only individuals whose job activities require access to certain areas have access and all visitors in the building must be escorted by someone with access.
Tarrant County had both a continuity of operations plan and emergency response plan that was provided for FAD to review during an on-site visit. The plan included information regarding what to do in certain emergency situations and noted that the Secretary of State was among those who could postpone or delay an election. These plans did not, however, include that the Secretary of State must be notified in the event of an emergency or disaster. Tarrant County did not have any of the other plans in place from the Elections Security Toolkit, but continue updating their security protocols.
