In a collaborative effort to safeguard the integrity of the 2024 US election cycle, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other key partners have released new guidance for election officials. This comprehensive overview addresses the risks posed by insider threats to election infrastructure, potential scenarios, and actionable steps to mitigate these threats.

Strengthening 2024 US Election Security

The FBI, in coordination with the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), CISA, and the U.S. Election Assistance Commission (EAC), has prepared this guidance to assist election officials at all levels in defending against insider threat concerns. For years, federal, state, local, and private sector partners have worked closely to support state and local officials in safeguarding election infrastructure from cyber, physical, and insider threats. Due to these concerted efforts, there is no evidence that malicious actors have altered or deleted votes or impacted the outcome of elections. "While there is no evidence that malicious actors impacted election outcomes, it is important that election stakeholders at all levels are aware of the risks posed by insider threats and the steps that they can take to identify and mitigate these threats," reads the report.

Understanding Insider Threats

An insider threat is defined as an individual or group with authorized access or special knowledge who uses that access to cause harm to an organization or entity. This harm can include malicious acts that compromise the security and integrity of election systems and information. Insiders can be current or former employees, temporary workers, volunteers, contractors, or any individuals with privileged access to election systems. Recent Examples of Insider Threats

1. Unauthorized Data Extraction: A temporary election worker inserted a personal flash drive into an electronic poll book containing voter registration data, including confidential information. This worker extracted the data to compare it against documents they intended to acquire post-election via the Freedom of Information Act. The breached equipment was decommissioned following the incident.
2. Unauthorized Access and Data Exposure: A state-identified digital images of a voting system and confidential passwords published online without authorization. Further investigation revealed that a county clerk and a subordinate had granted unauthorized access to the county’s voting machines, disabled security cameras, and provided false credentials to an unauthorized individual.
3. Network Access Breach: During a state’s spring primary election, a county official reported an attempt to gain unauthorized access to the county’s election network. An unauthorized laptop was connected to the government network, and data from the election network was later presented at a public gathering discussing perceived election fraud.
4. Compromised Election Systems: Two county officials allowed unauthorized users access to their election systems during an audit, leading to the state’s chief election official decertifying the machines and prohibiting their use in future elections.

While recent insider threats have been domestic, there is a growing concern about foreign adversaries exploiting insider access to interfere with the 2024 US elections. Foreign actors might attempt to manipulate individuals with privileged access through ideological, financial, or coercive means. Such attempts could potentially disrupt processes, spread false information, and undermine confidence in U.S. democratic institutions.

Indicators of Insider Threat Activity

Election officials should be vigilant for signs of insider threat activity, including:

• Unauthorized access to systems or facilities.
• Attempting to alter or destroy ballots or election materials.
• Turning off security cameras or access control systems.
• Removing sensitive material without authorization.
• Accessing networks at odd times.
• Ignoring cybersecurity policies.

Building an Insider Threat Mitigation Program

Effective insider threat mitigation involves several key components:

1. Standard Operating Procedures (SOPs): Detailed steps for tasks, including access control measures and the buddy system for handling sensitive tasks.
2. Physical and Digital Access Control: Restricting access to necessary systems and facilities, maintaining logs, and using surveillance.
3. Chain of Custody Procedures: Documenting the movement and control of assets to prevent unauthorized access.
4. Zero Trust Security: Verifying each access request, regardless of origin.
5. Continuous Monitoring: Using human and digital tools to detect anomalies.
6. Routine Audits: Validating the effectiveness of security measures.
7. Cybersecurity Best Practices: Implementing multi-factor authentication, regular updates, and network segmentation.

As the 2024 US election cycle approaches, it is imperative for election stakeholders to be aware of the risks posed by insider threats and to implement comprehensive mitigation strategies. The guidance provided by the FBI, CISA, and partners serves as a crucial resource in these efforts. By establishing strong security measures, election officials can help ensure the integrity, reliability, and security of the election process, thereby reinforcing public confidence in the democratic system.