This section of our website is dedicated to educating Clark County voters about how State and local election officials protect election systems and data. Securing systems and data is a continuous effort in Clark County’s elections community, and the systems and data we use are protected by the industry accepted best practices for critical information systems. We hope that this information is useful and assures you that Clark County’s election officials are serious about protecting our election systems and data and voters can be confident about the integrity of the election process.
What is the difference between a “probe,” a “breach,” and a “hack”?
There are different words to describe cyber activities – scans, probes, breaches, and hacks – and they mean different things.
- A “scan” is an automated way of reviewing websites, typically for content. Scans happen every day on every website. It is the equivalent of a potential burglar driving down your street looking for open windows.
- A “probe” is an unsuccessful attempt to gain access to a system. This is the equivalent of a potential burglar trying to open a door but the door is locked.
- A “breach” or “hack” is a successful attempt to gain access to a system.
How do we keep Clark County’s election system safe?
Each election system is designed and used differently. As a result, the risks of each system and how we mitigate those risks are different.
For example, the certified voting system is never connected to the Internet. This means that the risks associated with the Internet are not present. We, however, use memory devices to transfer election results. This means that we must address the risks associated with securing data on removable memory devices. By contrast, the online registration and ballot request system is connected to the Internet. As a result, we must manage the risks associated with Internet.
Generally, we use a multilayer defense or “defense in depth” to protect election systems and voter data. Simply put, we use various tools to protect the systems – one check verifies another check and redundancies exist to protect and restore system and data.
- We use experienced vendors and consultants to host, maintain, and protect systems. They use analytics tools and artificial intelligence to monitor websites and network traffic and identify unusual behavior.
- We take advantage of the cybersecurity services offered by the Department of Homeland Security (DHS).
- Each week, DHS scans our websites looking for vulnerabilities and reports on their findings.
- DHS performed a Risk and Vulnerability Assessment on many of our systems. This assessment included penetration testing, web application testing, and social engineering exercises.
- DHS performed in-depth non-technical assessment on critical systems. This assessment helps us understand how resilient our systems are and how we manage cyber risk.
- DHS performed an assessment of our cybersecurity practices on critical systems and how we manage risk associated with our vendors and third-parties we rely on (for example, public utilities, telecommunications).
- We take advantage of other services offered by DHS. Representatives of DHS are assessing our local office and warehouses to improve the physical security of the buildings.
- We regularly perform software updates and verify that local election officials’ computers are also updated.
- We own vulnerability scanning and penetration testing software and regularly run scans, analyze results, and mitigate findings.
- We look for patterns in voter registration and absentee voting behavior to identify possible unauthorized transactions.
- We only use a voting system that has been thoroughly tested at the federal, state and local levels.
- The voting system has been tested by a federally certified testing lab and approved by the U.S. Election Assistance Commission. The federal testing process includes security reviews as part of the testing process.
- The voting system has been tested at the State level. Before the current system was first used in 2016, we performed rigorous testing before we recommended it for use.
- Each voting unit is tested before it is accepted into the State’s inventory and each voting unit is tested before each election.
- We follow strict security and “chain of custody” procedures.
- We conduct comprehensive post-election audits to verify the integrity of the entire process. These audits are heavily focused on custody of critical election supplies (for example, memory devices used in the voting equipment), voter transactions, and the accuracy of the election results.
- We timely receive and share cybersecurity information. We receive alerts from the federal government – including DHS and the U.S. Election Assistance Commission , the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) and share this information with local election officials, and take action based on these alerts.
How would we recover if one or more of our systems or data is compromised?
Although we rigorously and continuously protect our systems, we also have equally rigorous plans to restore systems and return to “business as usual” if any of the systems become unavailable.
- Both State and local election officials have disaster recovery plans.
- We continuously back up our IT systems and the data in the systems.
- We test plans and practice responding to various scenarios.
- There are contingency plans in place for early voting and Election Day. If the electronic pollbooks can’t be used, each voting location has a back-up paper list of registered voters.
If the scanning unit won’t accept voted ballots, each unit has an emergency ballot bin where voters can deposit voted ballots for tabulation later. Replacement equipment must be deployed within 2 hours but during this time, voting will continue.
Clark County’s voting system is a paper-based system. This means that if the results on the memory devices can’t be used, election officials can use the paper ballots marked by voters to generate election results.
Are we ready for the 2018 elections?
Although much of the work of election official’s ebbs and flows, our cybersecurity work does not – it is continuous.
- We welcome the additional resources DHS has made available to election officials. These free services help us confirm other findings and identify areas of improvement.
- We have mature IT systems that are protected and monitored in multiple ways.
- We remind the election community of the need to be vigilant to protect the systems from phishing attacks, malware, ransomware and other methods of attacks.
- We are including in contracts requirements for vendors supporting the election process. These requirements include installing updates and having and testing disaster recovery plans.
We hope that this information assures Clark County voters that we have taken the appropriate steps and implemented best practices for information systems to protect the systems and data we use to conduct elections. From the voter registration process to the voting process to the posting of election results, we have ways to protect, monitor, test, and restore the systems and processes. We are constantly looking for ways to enhance how we protect these systems and respond to new risks.