It took an 11 year-old-boy all of 10 minutes to hack into a replica of Florida’s election website and to change the vote count.
Think about that for a moment: A sixth grader needed only 10 minutes to be able to change Florida’s hypothetical election results.
Now, some may argue that this wasn’t a “real” hack because it happened at DefCon and was a simulated website. And he was a kid who had a little bit of fun, changing the vote count for the winner to 12 billion. However, if a kid could enter the network and manipulate the data so quickly and easily, you know a professional hacker from Russia or some other nation-state will have a field day.
I know I am restating what has been said repeatedly since 2016: Our election system is under attack. In 2018, we’ve seen specific candidates targeted and concerns that state and county voting systems have been hacked (including Florida, and not in a simulation hack). Yet, the government at all levels is doing little to address this serious cyberattack. Congress voted against funding for improved cybersecurity for election systems, and in that Florida case, the buck is being passed along the line, telling individual counties to handle the problem, but many counties aren’t equipped to do so.
Who Will Secure Our Elections?
If we want election security, our best bet is to turn to security professionals. Many of the security pros I know warned about the vulnerability of our voting systems long before 2016. We didn’t listen to them then, but it is time to listen to their advice now. And the first bit of advice is to take the security of elections out of the hands of the government, to some extent.
“Each election campaign is expected to protect and secure their own systems,” said Joseph Carson, chief security scientist at Thycotic. “This means that inexperienced, temporary staff, are brought in to protect sensitive data that includes voter information and campaign strategies. This allows for attackers to easily target election campaigns sometimes gaining access to email accounts or the entire voter database.”
That’s why security professionals with niche expertise should support the government machinery to ensure free, fair and robust elections, added Rishi Bhargava, Co-founder at Demisto.
Know Where the Vulnerabilities Are
We don’t know exactly why some in government are balking at improving election security, but one reason may be that they don’t understand what and where the risks are. Is it in the software? The voting machines? In our databases? It’s hard to protect something if we don’t know what to protect, especially if security isn’t your job.
“Elections today are a confluence of many potentially vulnerable elements—voting systems, networks and databases, email accounts, and misleading news—and that increases the possibility of mischief manifold. It also means that local and state governments cannot be proficient in every element of security and will need all the help they can get,” explained Bhargava.
Hence, the security of our election systems is a complex matter that involves many organizations and a should include a variety of technologies from numerous vendors. But that’s easier said than done, according to Mike Weber, vice president at Coalfire Labs.
“The attack surface of systems in use today is rather broad, and the Voluntary Voting System Guidelines (VVSG) and related testing standards are not sufficient to confirm that these systems have been built in a manner that effectively reduces risk,” Weber said. Plus, they are woefully out of date. Testing guidelines need to be modernized and made specific to address the most vulnerable points in the threat model, he added. “Systems must undergo more rigorous testing than they do now. Systems should be tested to ensure that the controls that were built into the system to meet the VVSG standards cannot be subverted or bypassed. The tests should include emulating what an attacker with the objective of impacting the election could do to the system—this is well beyond the level of testing that is currently being done, which is not much more than an audit that the system was built with certain security controls.”
Recognize It’s More than Voting Security
Right now the cybersecurity focus is on the voting machines and software, but the security problem is much more complicated than that.
“We saw, and continue to see, manipulation of social networks, news sites and even the integrity of data stored in the cloud,” said David Ginsburg, vice president of Marketing at Cavirin. “This last threat, where the very accuracy of critical records comes into question, is sometimes overlooked.”
So Ginsburg has put out a challenge: He wants to see our entire voting system, from election records storage to political interaction treated and prepared for in the same way done for Y2K and GDPR so organizations that have anything to do with the election process or data will put in place the necessary processes and technology.
“To protect the election process against hacks, security professionals are direly needed,” Sanjay Kalra, co-founder and Chief Product Officer at Lacework, concluded. “Security professionals who are steeped in this mindset can give us the best opportunity to be successful at protecting the electoral process.”