Posted on Oct 15, 2020
Today, SecurityScorecard released a report that reviews the overall cybersecurity posture, including election-related infrastructure, of all 56 U.S. states and territories leading up to the presidential election. The “State of the States” infographic report found that the vast majority (75%) showed signs of a vulnerable IT infrastructure. Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following the US election.
SecurityScorecard’s score for each state reflects the overall cybersecurity posture for the entire state, which includes the relevant state election office as identified through the following two resources:
Most states’ election “office” is part of their Secretary of State website, which itself is part of an entity’s overall digital footprint. However, examining the security for just the Secretary of State’s office would likely be incomplete since voter registration records and voter-related information could be kept in another part of a state’s IT infrastructure.
Only seven states (Pennsylvania, Idaho, North Carolina, South Carolina, Arizona, South Dakota, and Nevada) maintain independent websites dedicated to the election and voter-related information. However, these would still be digitally associated with a state’s umbrella website.
Five U.S. territories (American Samoa, Puerto Rico, Guam, Northern Mariana Islands, and the U.S. Virgin Islands) were included despite not having voter representation in the U.S. Congress or electoral votes for president. However, such territories help choose each party's nominee and political parties have the ability to include them in the primary selection process. Over three million people reside in these combined territories. Most importantly, anyone from these territories is a U.S. citizen.
SecurityScorecard calculated the scores for the period of September to early October 2020 with non-intrusive, publicly available data and based on individual scores within 10 categories: network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering.
For more information on how SecurityScorecard “scores” each state, please see the “meaning of scores and breach likelihood” section at the bottom of this fact sheet.
Election security is a significant priority for SecurityScorecard because the company’s mission is to make the world a safer place. The company already provides federal campaigns and federal political parties, on both sides of the aisle, its cybersecurity product and services at no cost. On Election Day, SecurityScorecard has given all employees the day off as part of the Make Time to Vote nonpartisan movement, joining over 1,000 companies to increase voter participation.
This report is part of that broader effort, and we’re here to help each state - not scare or embarrass them. Any state that wishes to receive a free version of its Scorecard may contact [email protected] and will promptly receive a complimentary version of the company’s product expanded beyond what is otherwise publicly offered.
Since 2016, states have undoubtedly made improvements to their IT infrastructure in the wake of interference from foreign threat actors, particularly during the 2016 election. But, the pandemic has brought significant challenges to states with many facing hiring freezes and significant budget deficits. States cannot do this alone.
We recommend that Congress and the federal government provide states with greater resources and funding, particularly given chronic underinvestment in IT across most states. The voting infrastructure and the upcoming election are only a very small part of a very bigger story: states are in an even more difficult position given the pandemic and they need federal assistance.
Finally, as voters consider electing (or re-electing) state officials and members of Congress from their state, they may also consider the security score of that state. This would be no different than what a board of directors for a company would evaluate in terms of the cyberhealth of that particular company.
*states in blue are Democrat-leaning red are Republican-leaning, and black are battleground
SecurityScorecard ratings provide insights and a detailed analysis of the security posture of an organization or entity. The ‘total score’ consists of an easy to understand letter grade A (100) to F (0) and quickly conveys an overall assessment of security hygiene. The ‘total score’ is a weighted average of 10 ‘Factor Scores,’ which provide useful insights into detected vulnerabilities grouped into different categories. Factors (or categories) include network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering.
Online Business Systems found SecurityScorecard’s footprinting to be very accurate. Over the course of testing, Online evaluated SecurityScorecard’s data for a total of 13 unique, unrelated, and randomly selected domains and found SecurityScorecard’s attribution process to have an accuracy of 95%. The accuracy for positively attributing IP Addresses was found to be 94%, and for DNS Records it was found to be 100%. Read the full SecurityScorecard Summary Validation Assessment Report here. For more information, please see our accuracy page, a deep dive into our scoring methodology and the SecurityScorecard Trust Portal as well as an explanation of how SecurityScorecard collects data and calculates ratings.
Just as a poor credit rating is associated with a greater probability of default, a poor grade score evaluates organizations’ security profiles non-intrusively, using an ‘outside-in’ methodology. This approach enables SecurityScorecard to operate at scale, measuring and updating cybersecurity ratings daily on more than 1.5 million organizations globally. Relative breach likelihood increases as the SecurityScorecard grade decreases. For example, companies with an ‘F’ rating are 5.6x more likely to suffer a data breach versus those with an ‘A’ rating.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.