Election Security - A Race Without a Finish
We have two guests joining the podcast this week to talk about election security - Marci Andino, Senior Director of the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) at the Center for Internet Security, and Trevor Timmons, chairperson of the Executive Committee of the EI-ISAC and CIO for the Colorado Secretary of State.
We cover everything from the history of election security through to the present day, including the creation of the EI-ISAC in 2017, physical versus cyber security, the role of paper ballots for validating digital results, mis/disinformation during elections, insider threats among election officials, and the importance of resilient systems and chain of custody process.
Election Security - A Race Without a Finish
[03:28] Working with Election Officials in Improving Election Security
Rachael: Let's welcome to the podcast, Marci Andino. She is the senior director of the Election Infrastructure Information Sharing & Analysis Center, better known as EI-ISAC at the center for internet security. Also joining us is Trevor Timmons, chairperson for the executive committee at the EI-ISAC. He also serves as a chief information officer for the Colorado Secretary of State. Marci, Trevor, welcome. This is going to be great.
I want to start with Marci. You have been in the election world in the trenches for quite some time. I imagine in the time that you've been working there, you've seen so much change. It'd be interesting to hear your perspective as we roll forward to what we're seeing today. I think that background and context could be really fascinating for our listeners.
Marci: I spent 19 years as the chief state election official for the state of South Carolina and moved over to the EI-ISAC late last year. It's been an incredible experience. I'm thankful that I'm able to continue working with election officials and helping them to improve the cyber security of their elections.
Rachael: When did the EI-ISAC come into being? It's recent, yes, when we started seeing a lot of these things happening in recent elections in the last 10-ish, five, 10 years.
Marci: Yes, it’s relatively new. In January of 2017, elections were designated as critical infrastructure, and the EI-ISAC was set up in 2018. We're just four years old and it feels like a lot longer in some ways.
What Does the EI-ISAC Do?
Eric: What does the EI-ISAC do? Just so our listeners know. I'm not sure they're experts on elections, I'm certainly not. We talk about ISACs a lot but there are differences between the different ISACs.
Marci: There are. We focus 100% on elections. Our target audience or our members are states, local, tribal and territorial election officials. We work with them and we provide all types of no-cost professional services and products so that we can improve their overall cyber security posture.
Eric: I'm assuming that includes information sharing, the communication mechanisms to better communicate across the different states, the different election officials with the government, and the like.
Marci: That's an important piece of it. We provide intelligence and information sharing, we provide them with professional services training like tabletop exercises, and we also provide products. Then we partner with leaders in the industry to provide products to help secure their networks.
Eric: Trevor, you're in Colorado. You're the CIO effectively. How does that impact you? What's the difference since 2018? What have you seen?
Trevor: Well, since the establishment of the ISAC. I'll actually roll the tapes back a little bit to 2016. It was the summer of 2016 when Jeh Johnson, who was then the secretary of Homeland security for the US government. They held a phone call with elected officials across the nation. I'm sure Marci was on that phone call. I was on that phone call; folks from our office. They were broadcasting that they were seeing attempts from foreign nations to influence and affect our election in 2016.
Eric: Was that the presidential election or one of the primaries or multiple elections?
Prior to the November 2016 Presidential Election
Trevor: They had seen this ramping up, but this was prior to the November 2016 presidential election. That phone call from DHS, believe me, I have spent more time talking with three letter agencies in the past five years of my career than I had in all the time before that.
Eric: Don't they usually have to kill you if you talk to them or something like that?
Trevor: Fortunately, I don't work with those three letter agencies. But they were reaching out because they had seen a couple of different things. They had seen cyber security attacks and attempts to penetrate infrastructure in states and locals that are responsible for elections. But they'd also seen some disturbing foreign influence operations on social media platforms. So, the secretary of Homeland Security was reaching out. He’s saying, we do this work for critical infrastructure operators across these 16 sectors that have been designated as CI, as critical infrastructure.
He said we're offering those services to the election community, state, and local. You can take advantage of those, even though you're not critical infrastructure because we see this as a growing threat. So, they supported us again. That was early August of 2016, all the way through the election. Then, as Marci already mentioned in January 2017, elections infrastructure was formally designated as critical infrastructure.
Eric: So, that happened in '16. We've got another election, another presidential election in '20. That's four years. In '20, we have another election. We now have the EI-ISAC that's formed. How has the EI-ISAC changed the way you work, the way you communicate, and the way you get information? I don't know. What have you seen benefit-wise? What's changed?
Free Services For Election Security
Trevor: Marci can talk about some of the free services that they offer. I can rattle some of them off. They offer devices out to state and local jurisdictions called Alberts. They're essentially intrusion detection, devices.
They collect net flow information from state and local election officials and push it up to CIS, to the EI-ISAC. If they see an activity that is concerning from that net flow information, that from the Alberts that are distributed across the nation, they can actually see, oh, we're seeing malicious traffic coming from this IP range. We saw it in a particular jurisdiction. They can then go scan through net flow traffic and see if they've seen it in any other jurisdiction and proactively warn people about what they're seeing. That's just one thing.
Eric: You're seeing attacks from, let's just say the internet research agency St. Petersburg, Russia. We're seeing network traffic there beyond the alert, heads up, get your people focused on this. Or maybe even the government will help you. So, how many people take advantage of services like this? I imagine some states may say, I don't want the Alberts on my network.
Trevor: I bet Marci has up-to-date information, but most jurisdictions are taking advantage of the Alberts. It's really an early warning system.
Eric: At the national level.
Eric: Even though elections are state and local activities, and please correct me, I'm not an expert here. They're a state and local activities. You're getting the help and benefit at the national level to ensure you can do your job effectively and properly.
Marci: That's right. We are stronger together.
Eric: I think in most things in life, I'd agree with you there, Marci, that we're always better together.
Trevor: We may speak about some of the other services that the EI-ISAC offers, but the other piece that you were just hitting on, is the community. Prior to the establishment of the EI-ISAC, individual states, we talk to each other. Individual localities, talk to each other within their state, but they may not talk across political boundaries a lot.
The EI-ISAC has given that community structure so that we're all gaining access to the same intelligence information alerts, warnings, and guidance. They have really become a focal point for pulling together information on best practices around cybersecurity, both risk assessment, so you can better understand maybe where some of your risks are, and then also on how to remediate or mitigate those risks.
Eric: If you have a problem, let's say there's a network penetration. You know there's a compromise on an election machine or something like that. I don't believe in 2020, we had anything, from what I understand and research. But let's say that happens. Do you then have the ability to bring expertise either from DHS at the national level, the FBI, or work with other governments like yourselves that may have that expertise to help you?
Trevor: That's definitely the case. It's another outcome of building that community. In Colorado, we've had a relationship with our local FBI for a while. Every FBI region office has an agent that is specifically designated for election crimes. They're called an election crime coordinator. Prior to 2016, most of the election crimes they would have focused on are actual voter fraud or someone interfering with an individual's right to participate in elections. It's things like that.
[11:58] Election Security Caught Cybersecurity's Attention
Trevor: Since 2016, when attention really came to cybersecurity as a risk area and actually maintaining voter registration lists and the act of voting. That's when FBI, CSA, DHS, now CSA, the EI-ISAC has really come into its own, I think, in terms of getting information out.
Again, that safe space for sharing information about what risks people are seeing, what sorts of exploits are being attempted, and then proactively actually reacting to those things and preparing for those things as well.
Marci: I was just going to say if an election entity has an incident, we also have an incident response team. We are prepared to go out and assist them in the event that happens.
Eric: We, being the EI-ISAC.
Marci: That's correct. The EI-ISAC is part of the center for internet security. We're a nonprofit community-based organization. We are led and guided by election officials in the EI-ISAC portion, but we also have the multi-state ISAC that supports state and local governments as well. ISAC has been around for 20 years, and the EI-ISAC is relatively new.
Rachael: I'm just fascinated particularly in 2016 when they had that call. Everyone's learned so much more about election security in the last few years. It's such a fascinating topic because there's the physical aspect. There's the digital aspect, but then there's also the social engineering aspect. I'm always, how can you even address things like misinformation, malformation, disinformation? There are so many different elements of that. How are we trying to get a handle on that in addition to all the other stuff?
Trevor: I'd love for Marci to talk about some of the programs that the EI-ISAC has stood up for.
Election Security: A Hot Topic on Elections
Marci: Misinformation is a very hot topic in elections these days. Since late 2020, the MS or the ES-ISAC has provided a platform where election officials can report misinformation, disinformation, or inaccurate information. We encourage election officials to report anything they see on social media that's just inaccurate or misleading if it's about their jurisdiction or about the election process.
What we do, first of all, is verify that it is coming from an election official. We ask them to provide us with some information like a screenshot, or a URL, so we can go out and locate what they're seeing. Then we want them to tell us why it's inaccurate. Don't just tell us it's wrong, but tell us why, show us the statute, regulation, their procedure, then we pass it on to social media platforms. We don't make any decisions about accuracy or inaccuracy.
If it's reported to us, we simply pass it on. And this frees election officials up, so they can do what they're there to do, and that's conduct elections. Many of these things come in when they're at their busiest and they don't have time to focus on finding the person to report to on the various different social media platforms. That's something we can take off their plates. Once it's submitted, we will follow up with the social media platforms and report back to the election officials, so they can, again, focus on what they're there to do.
Eric: I'm feeling very encouraged right now like things are working at the public-private partnership level, the nonprofit component. This is really government trying to do one of the foundational components of government, and it sounds like we're doing it well.
Eric: I'm just, I'm reminded of Chris Krebs, who was the first director of CISA. He did an interview. During my research, I pulled this up on November of 30th of 2020 saying that they spent three and a half years gaming out every possible scenario.
I'm quoting him here, for how a foreign actor could interfere with an election, countless scenarios. He called the 2020 vote, the most secure election in American history. Now, he probably got fired for that, and we love Chris, so we'll deal with that later. In 2016, we recognize there were problems. The EI-ISAC is formed in 2017. You've seen progress. It sounds like the progress has been substantial. I'm assuming it's continued on since then even.
Marci: It has been called and it was, in my opinion, the most secure election, but the threat landscape continues to change. So we can't rest on our laurels. We have to keep being proactive and looking for new ways to protect election infrastructure.
Eric: We're going to get to the new threats in a minute, or maybe not new, but newly reported threats in a second. Trevor, you were going to comment on that.
Trevor: I was. I wholeheartedly agree with former director, Krebs. We spent so much time doing tabletop exercises, training for what could happen. What's a good response, what's a better response. Talking to communications teams at the local, state, and federal levels in terms of how we would respond to funny questions or to issues that pop up.
The preparation really for the 2020 election, understanding that there are folks who wish our government and our democratic process ill. They seek to leverage division amongst US citizens, one against another. We saw a ton of that.
The Most Secure in Terms of Election Security
Trevor: I do believe it was the most secure election that we've seen. But it's interesting because a focus on cyber security and physical security, it's been around for a long time. The voting machines that people use to cast their ballots, how they're scanned and tabulated, and how the totals are brought up, there's been a regimen of federal certification for those machines going back for over 25 years.
It's called the voluntary voting system guidelines. The specifications, the testing, and how you would know that those machines are reliable, it's been well understood for a long time. There's always room for improvement. I'm encouraged that the US election assistance commission is the group that does those. They develop those certification tests. They're moving that forward, so we can have the voting equipment even certified and tested at a better level to address the evolving nature of the threats.
But the second thing is cyber security on machines that are network connected, because generally those voting devices, they're not connected to networks. They're not subject to exploits over the internet, but voter registration databases, maybe. So, those best cyber security practices, I've been doing this work for a while, both in the election space and otherwise.
Credit card security standards through the payment card industry council, have been around for a long time. It's that same mindset around cyber security, detection, protection, response, and recovery. Those are the same concepts that we apply to any of those state voter registration databases that may be internet accessible.
Eric: I'm so encouraged by this conversation. You're really protecting it like we would expect the banks to protect our financial information, our money.
Are We Getting Better?
Eric: It just seems like we're working and we're getting better. You hear in the press, and I know it's sensationalized, all the risks and everything. It seems we aren't even connected to the networks with most of the voting machines, from what I'm hearing. So really hard, really difficult to change a vote or mess that up, I'm betting from a cybersecurity perspective and we're doing a lot to protect ourselves.
Trevor: I want to mention one other thing because this was a point of emphasis by Chris Krebs, is that after the Help America Vote Act was passed, there was a need to provide voting equipment that could be used by people with special needs. So accessibility to voting was a big emphasis of the Help America Vote Act. In the 2020 election, over 90% of all of the votes that were cast in the United States were cast by a mark on a piece of paper, they were paper ballots.
What that gives us is that gives us the ability to audit those afterward. Everyone has seen the stories about Georgia and Maricopa County in Arizona and all this. I think particularly in Georgia because they went very deep on Georgia. People challenged whether that election was legitimate or not.
What is lost in the stories about some of the Kraken stories about China flipping boats and everything is that the election was audited at least three times. They weren't looking at memory banks on a computer, at marks on pieces of paper. Human beings look at marks on pieces of paper to demonstrate, to tally them up and see who won and who lost.
[22:26] Interesting Ways to Ensure Election Security
Eric: I've seen some pretty unique cyber-attack behaviors, and interesting ways to get into systems. I can't recall any time in my past 25 years where I found ways to break into paper from China or Russia or a foreign country or a state. That would be hard. My mind's going to maybe put a 3D printer in place or something, but I just don't see how you alter paper from afar as easily. That's awesome to hear, it really is.
Maybe you would attack after the counts are made and they're in Excel or whatever the forum is. Hopefully, it's not Excel. Maybe you would attack that system, but altering papers? Really hard with keystrokes unless there's a printer attached on the other end.
Marci: Trevor really nailed it with the accessibility of voters, election officials and even voting system vendors have always been challenged with balancing accessibility with security. You can have a system that's so secure, that no one can use it, or you can have a system that's accessible to all voters, and that includes voters with disabilities. That's very important.
The vast majority of all systems that are in use today produced a paper record or start with paper. At the end of the day after the election's over like you said, you have that piece of paper that is used for auditing elections. That is the official record of the election. That should provide a lot of security to people listening to this podcast.
Eric: That brings up a good point though. Even if you were able to break into the system digitally and alter the results, when you go back to recount, you're going back to paper.
Eric: You would get a different result if the final results were edited digitally. That brings up a recent article. Politico came out with a report on 7/13, where it's talking about trusted insiders. These are physical humans, I believe the way their article reads, and how they might seek to manipulate ballots or voting equipment from inside. You're not worried about digital security from afar necessarily, but people cracking into these systems. To what extent does DHS or the EI-ISAC view this as a problem? How are you thinking about that?
Marci: In the light of the recent advances, this is a concern. If you think about an election as the largest one-day event in the world, it takes a lot of people to conduct an election. Election officials can't do it alone. They have to bring in hundreds and even thousands of coworkers to be able to carry off elections. So, they need to be careful about who they bring in. They need to thoroughly vet everybody that's going to be working in elections and only give them access to what they need access to.
Don't give away the keys to the car if they don't need the car. I’d like to think that they should add to their training of poll workers, just a reminder that if they see something at the polling place that seems suspicious, even if it is the behavior of a fellow poll worker, they should report it immediately because these are the poll workers.
We could not conduct elections without them, and they are our friends and neighbors, and coworkers. But you don't know everybody that comes into the process and it takes literally hundreds and thousands of poll workers in each jurisdiction to pull off an election.
Advocating Election Security: If You See Something, Say Something
Marci: Sometimes you're going to get somebody in there that isn't in there for upholding democracy and they're going to take advantage of the system. I think if you see something, say something.
Trevor: I just want to tag along on what Marci said. Those election poll workers that come in to do signature verification, to check that a ballot was returned by the person that it was sent to when ballots are being scanned in the pre-election audits. They call them logic and accuracy tests where you take a known set of ballots, you run them through a scanner, you tabulate them, and you make sure that the results are 100% spot on what you would expect them to be. We also do post-election audits.
We’ve done a particular variety in Colorado called risk-limiting audits that are based on some really heavy Math just to make sure that the outcomes are correct. When all those activities are happening, they're happening with bipartisan teams. You've got an R and a D who're watching election professionals as they're going through all these procedures. Now, I think that's awesome. That's how this has been done for a long time. You mentioned the recent article on insider threats. It reminds me of another phrase that Chris Krebs used to use and Jen Easterly, the current director of CISA uses, and it's “resilience”.
We need to have resilient systems, appropriate access controls, and chain of custody logs. I know in Colorado we have 24 by seven video monitoring of voting equipment. When it's in storage, when it's being programmed, we've got multiple eyes on it. We're not leaving it over to one individual who's trusted with the keys to the kingdom.
A Pretty Common Way
Trevor: We have separation of duties which is a pretty common way of trying to provide protection against systems, that's just part and parcel of the elections process. One other thing I just need to add on, I think DHS and CISA are well-positioned to provide advice through the EI-ISAC to state and local officials. They've got a ton of materials on insider threats within the classified information space.
There have been instances where people with clearances have gained access to information, and then they're trying to leverage it for profit or whatever. Some of those strategies that CISA and DHS and the federal government have adopted around protecting yourselves from insider threats, they're directly applicable to the election space.
Marci: I would add while we're talking about insiders coming in with nefarious intentions, it also can be a very innocent intent or not intentional, but it can be very innocent. Something like an employee clicking on a phishing email, a bad link, or opening an attachment. A lot of times, election officials do have to open attachments because they could be from military and overseas voters. It could be a request for a ballot.
So, it's important to remind all employees, whether they're seasonal employees or they're permanent employees, just to raise that awareness about cybersecurity. Make it part of your culture, where people are thinking about it every day. As they get busier, as it gets closer to an election, that's when it's important to continue those reminders.
Eric: Marci is this type of education, I'll call it education, shared via the EI-ISAC? I've got to think of some really rural places where we've got volunteers who are serving as election officials who don't have an IT background.
Marci: Maybe they're retired, they haven't been in IT. They just picked up email or something. They're not trained is what I'm saying as an IT worker or somebody might be in what a phishing attack is, what disinformation misinformation is, and how to deal with these things. Do you share that type of information also?
Rachael: That sounds like maybe your cyber strong campaign, Marci.
Marci: You are getting that one right. All of those things are in all of our materials and our presentations. We do have a cyber strong campaign and it gives six steps for election officials to follow, to secure their systems. But one of the messages that I take is that cyber-attacks can happen anywhere, and cybersecurity is everybody's responsibility. That's why they brought me on, they wanted somebody with election expertise that can talk to election officials and speak their language, not speak cybersecurity to them.
My point has always been it's everybody's responsibility and the internet is a level playing field. If you have a website, if you have email and you're on the internet, it doesn't matter if you are the largest county or the largest state or the smallest, it's just as easy for an adversary to reach you. That's something that election officials have to deal with and have to acknowledge. That is why these steps are for everyone.
Rachael: They're free resources too, which I think is amazing for folks to have access to that. I like how strong it spells out the different steps.
Marci: The S in strong is stay connected and that's the beginning of it as we encourage every election official to join the EI-ISAC.
[32:53] What's Going on with the Election Security Implementation
Marci: If they're already a member, make sure that their information is up to date and that they're not just a member. You can't just check that box and say, yes, I joined, you've got to stay engaged so that you're receiving up-to-date information about what's going on in the election cyberspace.
Trevor: I want to touch on a couple of things because you mentioned how many rural government offices are involved in running elections. You are right on. There are some very large organizations, counties, and cities that have election responsibilities, but by and large, there are so many small and medium-sized entities out there that have this as part of their core responsibilities. And there are a couple of things that the EI-ISAC is doing specifically to address those. One is In Point detection and response software that can be installed on every device inside that election's office.
Eric: We're not talking voting machines here. We're talking the windows computer, the election is officially receiving their EI-ISAC communications on emails. You name it. Everything.
Trevor: Yes. We're not talking voting equipment. Again, that's not network connected, but anything that they're using to manage email communications with residents and citizens in their area where they're getting the information that Marci and the team are sending out. So this software, it's what you find on a workstation in a bank or in any private company that is trying to protect itself from advanced persistent threats and malware and it's free and it's managed by the operations team at CIS. It's fabulous.
Eric: Is CISA providing that capability?
Trevor: CISA is providing the funding that allows CIS and the ISAC to offer that service.
Marci: That service is 24/7, 365.
Eric: They're providing the Albert capability, which really networks packet scanning, looking at the network, what's going on the network. They're providing funding and capability for EDR or XDR capability at the client side also. The federal government is really supporting state, local and tribal governments to ensure that from a cybersecurity perspective, we're doing everything we can to observe and address and react to what's happening on the systems and the networks as they relate to the voting process.
Trevor: I would say I'd pull that back, and instead of saying the voting process, I'd say the elections process, because it really falls into two different camps. There are voting systems. That is, how do you mark a ballot? How is it scanned and tabulated and how do you get totals? But then there's the voter registration process, which is, are you eligible to vote?
Where are you going to go to vote? What content is on your ballot? What offices and questions will you be voting on. They're really two separate little worlds, voting equipment is not connected to networks or voter registration activities. They have to be connected because individuals need to know, am I registered to vote? Where am I going to go? When is election day?
Marci: What 2020 demonstrated is the value of having a layered cyber defense capability. We talked about Albert, and we talked about EDR, but we also have malicious domain blocking and reporting. This stops a user from connecting to a harmful website. All these things work together to further secure election infrastructure.
Eric: If we had a sound engineer or a budget for one, I'd feel like we should be playing some patriotic music right now.
A Good Election Process Covers Election Security
Eric: I'm feeling so good after this conversation compared to what you read about in the press all the time. There are volunteers in the government who are all coming together to run a good election process.
Rachael: I'm really interested too, in this recent information infrastructure jobs act of 21. There was that 1 billion pledge over the next four years for state and local governments to protect their elections. What's the perspective on how that's going to further the cause here where it's most needed?
Trevor: I'll jump in on that because I've been in several of those conversations. The charter is a billion dollars over four years. 80% of the funding must go to locals, and 20% can go up to states. You can slice and dice it a little bit. If you cooperate with another state, the state can do more to build out a central capability that's accessible to locals.
The cool thing is there are so many needs at the local level, in terms of cybersecurity, both assessing where their risks are, and having the capacity when there is an incident to respond. The locals are really starving for those resources. I think the IIJA is a fabulous approach to that. It's not specific to elections.
The thing is, elections are run by people within local governments, as we are increasing the protections and improving the cybersecurity posture of the local governments, we're actually improving, a rising tide lifts all boats. Everyone is going to get better over the span of time.
I'll give you an example. In our state, our office, even prior to the EI-ISAC funding in point detection and response software for workstations, we did that in Colorado.
Trevor: But we can only do that for election-associated machines. In the county, there's an assessor and there's a sheriff and there's everything else. With our funding, we couldn't cover all those other devices. With the IIJA funding, those locals can start to cover some of those other business units within their local government. We're going to protect ourselves; our charter is elections. But now we can protect against lateral movement by bad actors who are trying to gain a foothold on one side of a system and try to traverse over to something else.
Rachael: Exactly, because it's like island hopping.
Eric: I call it pivoting or you get a jump point, but yes. Island hopping. Unfortunately, we want to stop it. If you're in the Caribbean, it's a good thing or Hawaii, but in this case, we want to stop it. What I'm hearing here and I'm coming at it from a cybersecurity perspective, that's my background. Trevor, you are being a CIO, I'm assuming you can confirm here. You're dealing with the exact same technologies, the exact same problems that we have in regular, non-election-oriented state government in banking, in any industry out there in government, whatever it may be.
We're using EDR, we're using network scanning, the same technologies, the same types of insider threat. We are dealing with that in the government all the time. How are nation states trying to steal America's information? You're dealing with the exact same thing in the election process. You are dealing with it as we talked about a few minutes ago in the same types of ways. We can share information, best practices, tools, and knowledge, and I'd even go so far.
EI-ISAC Versus ISAC
Eric: Marci, correct me here, but the EI-ISAC is operating in very similar ways to the other ISACs, distributing information and capabilities. It's almost the same type of playbook and it's working.
Marci: When the EI-ISAC was stood up, CIS leveraged their experience running the MS-ISAC. The model was applied to the election’s infrastructure ISAC.
Eric: I've been a fan of the ISACs. This is the most inspiring conversation I've had around the ISACs in years. That's not derogatory in any way. It's just more encompassing here than the financial ISAC, where it's a state, local, tribal, federal, or nonprofit. It's really working.
2024, more secure than 2020? More secure than 2016? Prediction time.
Trevor: I think it will be.
Marci: We got to keep moving forward.
Trevor: Someone said about cybersecurity within the election’s context, it's a race without a finish line. We will never be done. We’ll continually be facing new and evolving threats. We're going to continually look at the tool belt and look at the tools that we use. Look at our approaches to preparing for potential vulnerabilities and exploits and how we are going to respond. How are we going to protect ourselves from that and make our systems and our people resilient in those areas? It's never going to stop.
The nice thing is we've got people like Marci who come out with a background of running elections at a state level, helping locals do that well. We've got people at the ISACs who the MS-ISAC has been providing services, counseling, and information sharing to state and local tribal territorial governments for years. At the EI-ISAC, we're only four years old, but we've been able to stand on their shoulders and move that out within the election's context.
It's Pretty Rough in the World of Cybersecurity
Trevor: I love the way that you're characterizing it because it really is inspiring. We can never be complacent, but it really is inspiring where we've come from and then where we're going.
Eric: We're four years into this, two and a half of those years have been during COVID, think about that challenge. It's still working. Things are pretty rough right now in the world of cybersecurity. But in this case, we've got a plan. We've got people, structure, capability, and we're executing.
Rachael: Right now, everyone's talking about the midterm elections. I think these messages are important for people to hear, what's going on, what's being done? So, thanks for the great work you guys are doing.
Eric: My next meeting right after this recording is with CISA, we're going to be talking about the JCDC and the cyber information sharing and collaboration program. I’m going to open the meeting with the EI-ISAC is absolutely working.
Trevor: We're happy for the opportunity to share some information about it. We're doing great work with CISA and DHS as support and obviously with our members, at the state and local and tribal levels.
Eric: Thank you for coming to the show. Marci, EI-ISAC if people want more information, common citizens, election leaders, whatever, how do they get more information?
Marci: Our website is cisecurity.org. There's a wealth of information out there.
Rachael: Trevor, Marci, thanks again for joining us today.
Eric: Smash the subscribe button, listen to the shows, and recommend us to everybody out there. There's incredible content coming to you every week.
About Our Guests
Senior Director of the EI-ISAC since October 2021, responsible for overseeing the operation of the EI-ISAC. She works with state and local election officials to increase their cybersecurity posture through the use of products and services provided by the EI-ISAC. Before joining the EI-ISAC, she served as Chief State Election Official and Executive Director of the South Carolina State Election Commission for nineteen years.
Marci Andino was responsible for overseeing the conduct of primary, general, and special elections in South Carolina. She ensures that elections are conducted in a fair and impartial manner. She's also responsible for supervising county boards of voter registration and elections and serves as agency liaison with the General Assembly. She currently serves on the Council of State Government’s Overseas Voting Initiative Technology Working Group and the Bipartisan Policy Center’s Task Force on Elections Advisory Council.
She's s a former member of the U.S. Election Assistance Commission’s Standards Board, President of the National Association of State Election Directors, President of the S.C. Deputy Director’s Organization, and Secretary of the S.C. Information Technology Director’s Association.
Trevor Timmons served the Colorado Secretary of State as Chief Information Officer since 2007 after eight years as Deputy CIO and Director of Software Development. He served under several Secretaries of State, Colorado. He’s gained a national reputation in several areas including elections administration, business registrations, and cybersecurity operations.
In 2017, Colorado became the first state in the U.S. to implement statewide risk-limiting audits of voter-verifiable paper ballots for all federal and state elections. Colorado routinely ranks among the top states in the nation in voter participation and the percentage of eligible persons registered to vote. Mr. Timmons is the current chairperson of the Executive Committee of the Elections Infrastructure Information Sharing & Analysis Center.
Listen and subscribe on your favorite platform