While the causes of emergencies vary greatly, the potential effects do not. This means that jurisdictions can plan to deal with effects common to several hazards, rather than develop separate plans for each hazard.
The all-hazards approach to incident response planning focuses on developing core response capabilities, such as communication, coordination, and resource management, that apply across scenarios. Here are two examples of the all-hazards approach in the election space:
- Bomb threats, fire, and potentially hazardous materials can all force people to evacuate the election office. You can develop a plan around the tasks, or functions, of moving people to safety; securing critical assets such as ballots, equipment, and poll books so you can set up a temporary location; and communicating any changes to the public.
- Ransomware, DDoS attacks, fires, and seizure of assets can all cause election staff to lose access to systems and data they use to administer an election. A plan that ensures you have redundancies and backups* allows you to restore and/or continue operations with minimal disruption. Make sure to test your backups before you need them.
*Redundancy mitigates the risk of downtime, and backup mitigates the risk of data loss.
Although an incident can be cyber, operational, or physical (or any combination), cyber and physical security are no longer two separate things. Instead, it’s security convergence – the risk is combined, so the mitigations should be combined. The parts of an Incident Response Plan can be structured around the problem to be solved, the objective to be attained, or the task to be performed without having to be categorized as cyber, operational, or physical.
Dedicate 30 minutes to thinking through:
- What’s most at risk in your election operations? How would losing access to your facility, systems, or specific critical data impact your ability to administer elections? (The lists suggested in the second issue of our Planning Desk may help with this.)
- Which processes and procedures prompt the action you, your staff, and your security partners must take when dealing with a security incident? Are there any missing steps?
- What are the communications plans for alerting your security partners and informing the public of changes that impact them? Who would you need to notify internally and externally? What methods and channels do you intend to use to communicate effectively and timely? And, if any of those fail, what’s your backup plan? (Think PACE!)
Keep your notes handy–next week we’ll introduce an Incident Response Plan format based on an easily understood, common-sense approach. Stay tuned!
The Planning Desk is a running timeline of key election security tasks. You can find prior editions in the newsletter archive.