Any conversation about the security of our digital future inevitably involves the subject of election security. Whether it’s an attempt to mitigate the risk of foreign adversaries using misinformation to influence national elections or mitigating the vulnerabilities in voting systems across different municipalities, ensuring the integrity of election results is of paramount concern for the U.S. and the world at large.
When challenged with protecting critical infrastructure and thwarting disinformation campaigns, where do local, state and federal agencies begin?
Call for Commission
“Election security will continue to be discussed, with no significant action,” said Jeff Williams, CTO and co-founder at Contrast Security. “Despite strong evidence that our elections have been tampered with, widespread recognition that our voting infrastructure is not well-secured, and multiple ongoing investigations, it is an extremely complex and political problem that will take years to address.”
The inclination to pessimism is understandable, given the enormity of the task. In many ways, cybersecurity professionals are doing the work of Sisyphus, which leaves them with the choice of believing their efforts will inevitably be defeated or realizing that their continued work is what build resiliency.
A Strategy for Tenacity
Stanford University’s Cyber Policy Center recently hosted “Securing Our Cyber Future: Innovative Approaches to Digital Threats,” a symposium where industry experts discussed how to secure American elections.
Central to the discussion was a white paper recently published by Stanford titled, “Securing American Elections,” which offers “… concrete prescriptions for protecting the integrity and independence of U.S. elections, focusing in particular on strengthening resiliency before the 2020 presidential election. Our recommendations are practical, concrete, and achievable before 2020—but they demand action now,” according to the paper.
While hardening the existing electoral infrastructure is critical to election security, the wider electoral ecosystem also needs to be fortified. “Electronic poll books, vote tabulation systems, election night reporting systems on which news services rely, and auditing systems,” are all part of what the white paper calls the “vast electoral ecosystem.” Because this ecosystem is “… decentralized in many places, and varies tremendously in its resilience to attack, [it requires] substantial upgrades to advance its overall security.”
To date, there have been decades of studies that reflect the lack of security in these systems, Williams said, noting he has seen the same types of problems in voting machines and related infrastructure that are found in other types of software.
“I’m all for modernizing election systems to gain better security, but as is often the case, the technology is only a small part of the overall system,” Williams said. “Attackers don’t bother to attack the heart of your defenses—they go after the weakest parts. By and large, they don’t break encryption, they steal the key from the user. They don’t go after the main public website, they break into a little HVAC contractor website and pivot from there. And in this case, they go after the hearts and minds of the American voter … because it’s the easiest way to achieve their objective.”
Back to Basics
Because every part of the election process involves some connected device that is vulnerable, securing elections demands a return to fundamentals. The greatest vulnerabilities lie in the integrity of the information and the availability of the election and voting systems, which is why Bindu Sundaresan, director for AT&T Cybersecurity, said investing funds in new equipment isn’t going to resolve security issues.
Election security is no different from enterprise security in that the focus needs to be on people, process and technology, she said. “If you have a voter registration database, make sure patches and updates on all the systems and servers that connect to the database are updated,” Sundaresan said. “Make sure the database server is not accessible from the internet and restrict all different external systems that connect to the database.”
Establishing a baseline for what is considered normal activity is key when it comes to detecting anomalies, but government agencies should also have scanning tools that are automated to make sure it is a continuous process. In addition to understanding how they would detect an anomaly, government agencies need to have an incident response plan in place.
“Often people think that this database has been set up for years, it’s fine. It’s secure, but that one change you make on your firewall could mean that now you are one step away from a breach,” Sundaresan said.
The fundamentals need to be in place first. Building the security strategy and adding in new technology is great, but county, state and federal governments can’t forget that an attack at the process level can still happen even if the foundations are in place and configured correctly.
“We see at the state and county level, overall security awareness and cyber hygiene is typically lacking,” she said.