election security

How to secure Microsoft-based election, campaign systems

Microsoft has issued guidance and provided resources for local election bodies and candidate campaigns to help protect systems and communications.

Microsoft-based election, campaign systems
Thinkstock

election security

Show More

Attackers aren’t waiting until next year to attack the technology used in the election process. For example, attackers from Iran reportedly attempted to break into user accounts associated with the Republican party. While Microsoft didn’t say which campaign was attacked, later news reports indicated that it was President Trump’s re-election campaign.

Attackers who target the elections spend time and resources to investigate personal information, target secondary accounts used for password resets, and gather phone numbers to better target. If you work for a local election office or volunteer for an election campaign, take the time to know and understand the threat. Microsoft is doing its part by offering the following resources and advice to ensure that elections are not impacted by outside sources.

Patch Microsoft Windows

Microsoft is offering free Windows 7 patches to any certified voting systems through 2020, “both in the United States and in other democratic countries, as defined by the EIU Democracy Index, that have national elections in 2020 and express interest.”

Enable two-factor authentication

Microsoft recommends that customers enable two-factor authentication (2FA) in the Account security settings for their Microsoft account. Once you log in there, you can review past sign-in activity in your account and review if anything looks unusual. For Office 365 accounts, you can review log files and enable conditional access to limit the ability to log in from unusual locations.

Use additional authentication verification processes

Next, review options to enable additional verification processes. For Microsoft accounts used by election officials, the company recommends using the Microsoft authenticator app to provide an additional step for verification.  A hardware token such as YubiKey can be used with Windows Hello to provide additional protection as well.

Use the Microsoft AccountGuard service

Microsoft went one step further with the Microsoft AccountGuard service, which provides:

  • Best practices and security guidance specific to those in the political space
  • Access to cybersecurity webinars and workshops
  • Notification of verifiable threats or compromises by a known nation-state actor against the participant’s Office 365 account
  • Notification to both the organization and the impacted individual if a registered Hotmail.com or Outlook.com account associated with the organization is verifiably threatened or compromised by a known nation-state actor
  • Recommendations to the participating organization for remediation if a compromise is confirmed.

Follow Microsoft guidance for setting up Office 365

Microsoft also provides documentation and guidance on how to set up Office 365 securely for political campaigns and non-profits. For non-profits, Microsoft provides discounted licensing through organizations such as techsoup.

Join the EI-ISAC

Often information is a key way to stay secure and the Center for Internet Security provides access to the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which is open to all state, local, tribal and territorial government organizations that support the elections officials of the U.S. and associations. The organization provides election-specific intelligence and news alerts among other information.

Even if you aren’t running a campaign, it’s wise to review what Microsoft recommends to keep elections secure.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!