Securing the Process for a Trustworthy Election
Process Democratic nations should have full confidence in the security and integrity of their electoral processes. No voter should ever wonder if their vote was manipulated in favor of a different candidate or outcome. Confidence can be difficult to obtain, easy to lose, and even harder to regain. There must be trust from the very beginning. Academic and independent research into election and voting systems have illustrated that the people, process, and technology supporting U.S. democratic processes are complicated, underfunded, and imperfect.
Even inaccurate or sensational reporting about election security can test the public’s confidence. Diminishing credibility in any democratic election could have potentially devastating implications for democracy overall, reinforcing the need to make election security and public trust top priorities.
Current Approaches Fall Short
Targeted cyberattacks can be extremely difficult to defend against because the level of sophistication, funding, time, skills, and resources available to the attacker are usually all far greater than non-targeted cyberattacks. In the fall of 2019, The U.K.’s Labour Party experienced two cyberattacks directed at their party’s main platform. The Distributed Denial of Service (DDoS) attacks only caused disruptions but were troubling nonetheless given that they occurred during an important election cycle. By any definition, these attacks would not be considered sophisticated, but they still impacted productivity and public confidence. Conversely, the broadly publicized 2016 Democratic National Committee email breach leaked more than 19K emails to the public. Sophisticated malicious hackers conducted this attack after secretly gaining access and having remained largely undetected.
In addition to targeting political parties and individuals, research shows it is possible to compromise voting machines under the right conditions. These examples illustrate how easy it is to lose the public’s trust and why it’s so critical to build robust and secure election processes. Thankfully, many people are working to improve security across different sectors – from government agencies to private enterprises to nonprofit organizations to concerned independent security researchers – to help prevent interference – especially here in the United States.
Starting Points to Strengthen Election Security
Several factors come into play when thinking about securing election systems. Like everything else, good security starts with basic cyber-hygiene. This applies to election administrators, poll workers, and vendors who are all critical stakeholders in defending elections from malicious activity. Across the U.S., state and local officials should be regularly conducting cybersecurity awareness training that focuses on phishing attacks, password and passphrase best practices, incident response readiness, etc. People are both the most essential and the most vulnerable resources in an organization which is why security training should never be considered one-and-done.
Next, technicians and security teams should work closely with election officials and vendors to regularly assess their election systems, with special focus on identifying components that have direct exposure to the Internet. While some components will require 24×7 presence (i.e., online voter registration databases), others may benefit from filtered access behind a firewall or may be blocked entirely from the public. Poorly understood architectures or misconfigured systems often lead to services and data that are remotely accessible and easily exploitable.
After identifying and addressing the most obvious exposures, skilled penetration testers should be employed to test hardened systems. These experts apply advanced methodologies that may uncover vulnerabilities or weak processes that go unnoticed by in-house technical teams. A good assessment by a reputable third-party penetration testing team will not only identify where an adversary may focus their resources, but it should also include recommended improvements to address any discovered gaps.
Robust election systems are central to the public’s democratic processes. Therefore, it’s not uncommon for good faith researchers from the security community (AKA white hats) to voluntarily assess voting systems. If you’re responsible for running elections, consider providing a clear path for researchers to disclose their discoveries; consider presenting a security.txt file on your public site and have an internal process ready for handling an unexpected vulnerability disclosure. For researchers struggling to connect with an election official, the newly formed EI-ISAC can be a helpful resource for bridging the divide.
Benefits of Adopting the Solution
Maintaining good cybersecurity hygiene and working with skilled security teams can help bolster defenses and trust. The election community is already hard at work leveraging independent testing labs and other pen-testing firms which help perform some of the security tests for elections infrastructure.
Taking a more proactive step with cybersecurity will reinforce public trust in the system and can help improve confidence in the electoral results. Make no mistake that while proactive security measures are not commonly known to the public at large, information security pros are acting behind-the-scenes. Air-gapping – or isolating voting machines from unsecured networks – is a common safeguard implemented to prevent malicious hackers from gaining access. Although this is an important tactic, vulnerabilities can cause connected machines to appear air-gapped, demonstrating the vital need for security redundancies.Tags: ELECTION SECURITY, NATION STATE