Elections Cybersecurity Problems in Illinois

Democratic primary season is underway, and the Illinois Auditor General just raised the alarm about cybersecurity failings at the State Board of Elections.

The Illinois primary election is Tuesday, March 17, 2020.

What are the election cybersecurity problems in Illinois?

We just reviewed the Illinois Auditor General's report, which summarizes the board of elections like this:

"The State Board of Elections had not implemented adequate internal controls related to cybersecurity programs and practices."

Here are specific cybersecurity problems noted by the auditor's office. The Elections Board:

• Had not classified its data to identify and ensure
  adequate protection of information (i.e. confidential or personal information) most susceptible to attack. [Note: this includes Social Security numbers and data on millions of Illinois voters.]
• Had not evaluated and implemented appropriate
  controls to reduce the risk of attack.
•  Had not ensured all staff members completed cybersecurity training upon employment and annually thereafter.
•  Had not developed a formal, comprehensive, adequate, and communicated security program (policies, procedures, and processes) to manage and monitor the regulatory, legal, environmental and operational requirements. Although the Board's Policy Manual included minimum requirements for acceptable usage of information technology, the Policy Manual did not address access provisioning requirements, security awareness and training, and data maintenance and destruction. 

Election security issues in Illinois: the Board responds

While the Illinois Board of Elections admits it has not "formalized" cybersecurity policies, it claims it is more secure than it used to be.

"The Board has evaluated and implemented several technical security controls that have significantly increased the Board's security posture and reduced our threat attack surface."

It also claims that current employees do receive annual security awareness training, but admits that new employees do not receive the training.

Cybersecurity leaders at SecureWorld conferences now tell us that security training as part of employee on-boarding is a best practice.

[RESOURCE: Illinois Auditor General Report on Elections Cybersecurity (PDF); see pages 9-10 for the cybersecurity portion of the report.]

Cybersecurity and elections remain an issue of national concern.

This report from Illinois, and the confusion during the 2020 Iowa caucus, may have further damaged voter confidence in election technology.