Cybersecurity and your vote

2020 is a general election year—learn how IU experts are helping to safeguard the election process in Indiana

Whether it’s Russians hacking into the Illinois election database or the phish that took down the computer system for the entire city of New Orleans, cyberattacks are just a part of modern life.

And with the 2020 primary and general elections looming, election officials in Indiana are gearing up to manage every aspect of voting in their county: from registration and poll worker training to verifying IDs and staying apprised of potential cybersecurity threats. 

The cybersecurity team stands in front of a red christmas tree.

Meet the team. These friendly faces are experts in various aspects of election security. They are (left to right): Tom Edelberg, Mike Stanfield, Kelli Shute, Cinda Haff, Tim Goth, and Mark Bruhn. 

That’s where Indiana University comes in. Late last year, the Indiana Secretary of State’s office asked a team of IU cybersecurity experts to lead a half-day incident response fundamentals workshop during its annual Election Administrators Conference. Featuring realistic tabletop exercises as well as remarks from leaders, the IU workshop helped attendees become better informed about potential threats affecting Indiana’s elections and how to prevent and mitigate them.

The workshop was the first event to stem from a recent $300K award from the Secretary of State’s office for IU to review and improve the state’s election cybersecurity incident response plan. These funds are part of a one-time $10 million appropriation for election security that had been budgeted by the Indiana General Assembly during the legislative session.

“Tabletop exercises help election administrators prepare for worst-case scenarios on Election Day. I appreciate IU developing real-world scenarios that tested our skills and helped us prepare for the 2020 election and beyond. Indiana's election administrators are better prepared thanks to IU's hard work,” said Connie Lawson, Indiana secretary of state.

'Insurance policy for when bad things happen'

The IU contingent included Tom Edelberg, Kelli Shute, and Mike Stanfield from the IU Center for Applied Cybersecurity Research; Mark Bruhn from the IU-based Research & Education Networks Information Sharing & Analysis Center (REN-ISAC); and Cinda Haff and Tim Goth from the Office of the Vice President for IT.

Secretary Lawson kicked off the workshop with some remarks and then introduced Matt Masterson from the U.S. Department of Homeland Security. 

“The weakest link is the human. I’ve long said that the biggest threat to elections is cat videos—people can’t resist clicking on them because they want to see it chase that laser pointer.”

“Incidents are going to happen—you will be impacted,” Masterson said to the ballroom packed with county clerks and other election officials from Indiana’s 92 counties. “The weakest link is the human. I’ve long said that the biggest threat to elections is cat videos—people can’t resist clicking on them because they want to see it chase that laser pointer.”

Next up, Mark Bruhn from REN-ISAC gave a presentation on incident response fundamentals, stressing the need for each county to create an Incident Response Plan (IRP) as well as a playbook with checklists and procedures for specific tasks. 

“Think of your IRP as an insurance policy for when bad things happen that you hope you never have to use,” Bruhn told the crowd. “The IRP, coupled with a playbook, will help reduce stress and indecision in a very difficult situation. Of course, you will still need to apply your expertise and experience to the situation, but I guarantee you that your IRP and playbook will be invaluable in a cybersecurity crisis.”

He would know. Prior to his current role at REN-ISAC, Bruhn was IU associate vice president for public safety and institutional assurance, responsible for most aspects of university security and safety, including emergency management, information management and privacy, and security of technology and information.

A tabletop exercise is held.

A good sounding board. Cinda Haff helps election officials talk through the tabletop exercises. 

Power outages and stolen poll books

Next on the workshop agenda were the real-world scenarios that could affect elections in the state. Scenario #1 involved a total power outage in the county on Election Day, in which the voting machines and electronic poll books were out of commission. Scenario #2 was stolen poll books—and how county voting officials would carry on without them. Attendees were instructed to talk through how they would handle each situation while the IU team walked through the room, helping to guide the discussion and offering feedback at the tables.

“Many of the election officials were happy to volunteer to share their experiences during the tabletop exercises. There were some ‘aha’ moments both at the tables and during the larger group discussions,” said Kelli Shute, CACR project manager. The team was very active on the floor during the scenarios, helping guide the participants to think about things that may not have emerged organically through the table discussions.

With the election security workshop under their belt, the IU team is now preparing to host a series of regional “boot camps” across the state with county clerk offices to further support election officials with the creation of tailored, county-specific incident response plans and playbooks.