Election Security a 2020 Myth?

As the 2020 election season shifts into high gear, the importance of election security becomes one of the most important issues facing the U.S. Thousands of hours have been spent within government investigating and discussing the role played by Russia and its active measures to disrupt and influence the U.S. electorate.

To achieve the elusive Holy Grail of election security, three vulnerable areas need to be addressed: election infrastructure, voter registration/rolls and ballot security.

GAO Identifies Issues to DHS

The Government Accounting Office (GAO) in its February 2020 report to Congress on election security highlights the shortcomings identified that need addressing by the Department of Homeland Security via their Cybersecurity and Infrastructure Security Agency (CISA).

One of the primary shortcomings within the U.S. is the lack of uniformity across the nation. Some states defer to local jurisdictions to determine the selection of voting technology, methodology of registering voters and the means to ensure ballots are both genuine and countered appropriately. It does not take an accountant to understand that each jurisdiction will have available different levels of resources, including cyber and physical security acumen.

The GAO accurately points out the vulnerabilities of both voting equipment, as well as the technical infrastructure upon which the equipment is dependent. The vulnerability of voting devices and applications has been well-documented by security researchers, with the most recent revelation concerning the Voatz application being shared by MIT cybersecurity researchers in early February.

In addition, as evidenced in the Democratic Party’s Iowa caucus, the rush to digitize was allowed Iowa to suffer from a self-inflicted wound of pushing technology forward without appropriate testing and integration. The failure of Shadow Inc.’s application had a cascade effect as other states slated to use the same technologies dumped the idea.

Nevada, for example, is cobbling together a combination of iPads, paper ballots, Google Forms and verbal telephone call-ins as its quick-reaction backup scenario.

Rube Goldberg would be proud.

GAO Recommends

The GAO recommendations to CISA include:

  1. Finalize the #Protect2020 strategic plan. CISA notes how it expected to release the plan in February 2020.
  2. Ensure election infrastructure secure. CISA notes that such will be the case by February 2020.
  3. Document how CISA addresses the challenges identified and remedial efforts. CISA proffered its exercises and reports as evidence.

CISA highlighted the many “voluntary services” being offered to those managing the elections across the country. These include cyber resilience reviews, external dependencies management and assessments, cyberinfrastructure review, phishing campaign assessment, risk and vulnerability assessments, remote penetration testing, vulnerability scanning, cybersecurity evaluation tools, continuous diagnostics and mitigation, cybersecurity services, hunt and incident response team assistance, a malware analysis center, automated indicator sharing, the Homeland Security information network, the National Cyber Awareness System and posters.

Neither GAO nor CISA offer any readout on how many of the states or local jurisdictions have taken advantage of the “voluntary services.” To do so, it would appear that more than a modicum of technological and cybersecurity understanding would be required. This is a data point which the national electorate will want to be made aware.

Is the Threat Real?

Is all of this an exercise for the sake of busywork?

Not in the least.

In January 2017, the U.S. election infrastructure was designated by the Department of Homeland Security as a subsector of the existing Government Facilities Sector. The National Counterintelligence Strategy 2020-2022 highlights: “Russia remains a significant intelligence threat to United States interests – employing aggressive acts to instigate and exacerbate tensions and instability in the United States, including interfering with the security of our elections.”

While oftentimes there is disagreement across government entities, the need to protect the nation’s elections is real and the election infrastructure joins the likes of Nuclear, Defense, Emergency Services, Energy, Public Health and others as part of the nation’s critical infrastructure.

And while our own Counterintelligence entities are highlighting the threat, a NATO ally has offered their perspective. The Estonia Foreign Intelligence Service in a 70-page report highlights how Russia will target the EU parliamentary elections, and can also be expected to interfere with the Georgian and United States elections.

U.S. Senate Deaf to the Threat?

With the threat well-defined and identified—Russia—it is inexplicable why three separate election-security bills were shot down by the U.S. Senate in early February. In each case, it was Sen. Marsha Blackburn (R-TN) who blocked the unanimous passage of the election-security legislation. These bills would:

  1. Require all future presidential campaigns to call the FBI if they are approached by a foreign power offering assistance.
  2. Compel presidential or congressional candidates to tell the FBI and the Federal Election Commission about any efforts by a foreigner to make any sort of campaign contribution.
  3. Authorize more federal money for modernizing voting systems and improving election security, while banning voting machines from being connected to the internet or being manufactured in foreign countries.

As the calendar advances the threat to the security of the 2020 elections will continue to manifest itself, and whether the U.S. will be a victim due lays in the hands of both the elected officials with the ability to provide resources and the local jurisdictions. The former can legislate solutions and resources, the latter can keep their infrastructure, process and procedures at the level they can both understand and protect. There is no shame in reverting to a paper ballot if it means the election is secure.

Christopher Burgess

Featured eBook
How Your Vendor Access Management Tools Are Putting Your Company at Risk

How Your Vendor Access Management Tools Are Putting Your Company at Risk

If third parties are accessing your network, whether you’re using a VPN, a vendor-supplied support tool, or a Privileged Access Management (PAM) solution to manage network vendor access, the limitations of those tools leave you vulnerable to breaches. But you can’t manage risks that you don’t know you have. Vendor Privileged Access Management (VPAM) is ... Read More
SecureLink

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 106 posts and counting.See all posts by burgesschristopher