Indiana Takes Measures To Protect Election Security

Voting System Technical Oversight Program (VSTOP)

Hosted by Ball State University, this program tests all of the election equipment used in Indiana for an added layer of safety and security. After VSTOP reviews the system to ensure its compliance with the law, their recommendation is presented to the bi-partisan Indiana Election Commission, the body responsible for certifying voting systems for use in Indiana.

IU Center for Applied Cybersecurity Research (CACR)

The Indiana Secretary of State’s Office has partnered with Indiana University to review and improve the state’s election cybersecurity incident response plan and will help prepare election officials in all 92 Indiana counties for cybersecurity incidents related to the 2020 General Election and beyond.

The project will have three parts:

1. Creation and delivery of a suite of materials and table-top training events prior to the 2020 elections, including a series of regional “boot camps” with county clerk offices to train election officials about how to respond to different forms of cyberattacks, such as phishing, phone scams and impersonation calls.
2. Ongoing consulting with Indiana’s Secretary of State and county clerks during the 2020 election season
3. Post-election documentation of lessons learned and recommendations for the future

FireEye

FireEye provides intrusion detection and prevention systems at the state and county level. They monitor internet traffic accessing websites and databases to prevent bad actors from accessing critical election information. This partnership not only prevents and blocks cyber threat, in the event of an incident, FireEye will provide resources to remove the threat.

Election Infrastructure Information Sharing and Analysis Center (EI-ISAC)

An independent entity that partners with the U.S. Department of Homeland Security, this allows us access to 24/7 security information, threat notifications, and security advisories.

U.S. Department of Homeland Security

The Federal Government has conducted risk and vulnerability testing to secure Indiana’s electronic information such as the Statewide Voter Registration System and the state election website.

Multifactor Authentication Protocol for County Election Offices

The Statewide Voter Registration System is used by the state and the counties to maintain voter registration list. We are investing in security at all levels by implementing validation requirements to ensure only authorized users can access the system.

Multifactor Authentication Protocol for all Voters

Hoosiers utilize IndianaVoters.com to register to vote, update their voter information, find their polling location and much more. The state is investing in security at all levels by implementing validation requirements to enhance security for public online access of voter registration information on indianavoters.com, if the voter chooses to do so.

Voter Verifiable Paper Audit Trail

A voter verifiable paper audit trail (VVPAT) is a security measure that allows voters to independently verify their vote was correctly recorded. Further, Indiana law allows for county election boards to select the voting equipment used in their counties, as long as those systems are certified for use in Indiana. Currently, state law allows for the use of an optical scan ballot card system (OpScan) or direct record electronic system (DRE).

OpScan voting systems employ a voter verifiable paper audit trail (VVPAT) by nature of its design – using ballot card marked by the voter or a ballot marking device that is then tabulated by an optical scan component. All DRE systems must contain a VVPAT component not later than July 1, 2024.

Penetration Testing

Penetration testing, also called ethical hacking, is a practice of testing a computer system, network, or web applications to find security vulnerabilities that could be exploited. The State periodically conducts penetration testing to identify potential security vulnerabilities. Once vulnerabilities have been identified steps will be taken to address identified security vulnerabilities and strengthen the security of the Indiana elections infrastructure.

Cloudflare

Distributed denial of service attacks known as DDOS attacks are used to take down websites. To prevent this, the State has implemented a distributed denial of service content filter called Cloudflare to protect indianavoters.com.

Cyber Best Practice Training

Each year the Voting System Technical Oversight Program (VSTOP) team provides Indiana counties with best practices for the operation of election equipment and cybersecurity. Best practices are updated each year as cyber threats evolve and the election landscape changes.

Risk Limiting Audits

A risk limiting audit or RLA is a post-election audit of ballots. A RLA requires manually reviewing a sample of ballot cards of a VVPAT component to a DRE to ensure election results are interpreted and tallied correctly.

Security Protocol

State law establishes physical security standards for election equipment. Many county election boards adopt customized security resolutions above and beyond what is required by law.