Election CyberSecurity: We Are Still Playing Catch-up

 
Cybersecurity is a complex topic. Politics is a complex topic. Combine the two and there is a potential recipe for disaster. Election CyberSecurity gets more complex factoring in that administration of elections are a state and local government responsibility. There are over 50 different election systems and processes each with varying degrees of cybersecurity. In early 2018, the Center for American Progress graded “The election security in all 50 states” and the results aren’t comforting.

The main takeaway from the Center for American Progress’ report is there is a lot of room for improvement.

  • Fourteen states use paperless Digital-Recording Electronic (DRE) machines in at least some jurisdictions.
  • Five states rely exclusively on paperless DRE machines for voting.
  • Thirty-three states have post-election audit procedures that are unsatisfactory from an election security standpoint, due either to the state’s use of paperless machines, which cannot be adequately audited, or other factors.
  • At least eighteen states do not legally require post-election audits or require jurisdictions to meet certain criteria before audits may be carried out.
  • Thirty-two states allow regular absentee voters and/or U.S. citizens and service members living or stationed abroad to return voted ballots electronically, a practice deemed insecure by election and cybersecurity experts.
  • At least ten states do not provide cybersecurity training to election officials.

The Cybersecurity protecting our elections needs to reflect their significance with comprehensive security… And yet we are still playing catch-up.
Election Cybersecurity Track Record
DEFCON is one of the best-known hacker conferences around. In 2017, they held “DEFCON 25 Voting Machine Hacking Village,” where 25 different pieces of election equipment were probed for vulnerabilities. By the end of the conference, every device was compromised in some manner.
The AVD WinVote, a voting machine that was used in US elections between 2003-2014, was breached using a vulnerability from 2003. During the entire time this device was in production, it could have been exploited and completely taken over remotely – allowing the changing of votes, observing the voters, denying services, and other malicious activity. To make the issue worse, the same machine had an unchangeable backdoor default password. A simple Google search showed the username of “admin” and a password of “abcde”.
Another device, a Diebold ExpressPoll 5000 is used to check in voters. It was found to be improperly decommissioned and still containing personal information on over 600,000 voters from Tennessee, years after it was pulled out of production. This was just a single machine. According to the US Census Bureau, a record 137.5 million Americans voted in the 2016 election. A hacker would’ve hit the jackpot even if they only accessed a fraction of the total voter records.
Increased Federal Involvement
The aftermath of the 2016 elections shined a spotlight on our need for better cybersecurity regulations and controls for the entire U.S. Election System. Specifically, when the Federal Bureau of Investigation (FBI) announced that some state and local election jurisdictions had been the targets of Russian cyberattacks, this put into jeopardy one of the key tenets of our democracy – free and fair elections.
In January 2017, the United States Department of Homeland Security (DHS) federally designated the election infrastructure used in federal elections as a component of the U.S critical infrastructure. Critical Infrastructure (CI) refers to systems and assets for which “incapacity or destruction would have a debilitating impact on security, nation economic security, national public health or safety, or any combination”. Other CI sections include the U.S. energy infrastructure, the Emergency and Financial Services sectors, Food and Agriculture, Transportation Systems, Water and Wastewater, and others.
This federal designation allows DHS to provide security assistance and brings the election infrastructure under a 2015 United Nations agreement stating that “nations should not conduct or support cyber-activity that intentionally damages or impairs the operation of CI in providing services to the public” as well as other benefits and controls from the designations.
Naturally, this designation provoked some concern by state and local officials with regards to federal overreach and autonomy of states to secure their own elections. Some of those concerns have since been mitigated by the federal government’s ability to provide cyber-security funding, assistance, and relief.
Politicians & Promises
We are already seeing the benefits of this new designation and partnership in preparation for the 2018 and 2020 elections.
In June of 2018, Jim Condos, the Vermont Secretary of State, was one of several Secretaries of State to testify before the U.S. Senate Committee on Rules and Administration of his State’s Cyber Security Preparations for the upcoming elections.
Secretary Condos testified that his state had already requested and received a $3 million grant from the Help America Vote Act (HAVA) to assist with cybersecurity improvements such as:

  • Upgrade equipment to comply with modern security standards
  • Implementing two-factor authentication for clerks and staff to access the Election Management System
  • Conduct several rounds of penetration testing on the election management system
  • Offer online cyber-security training for local clerks at regular intervals
  • Robust audits of election results using state-of-the-art auditing technology
  • And other security improvements

This cybersecurity improvement message was repeated by multiple Secretaries of State during their testimony.
While these are sound security improvements, there is still a long way to go and a lot of moving pieces. Still, this recent increase in cybersecurity awareness coupled with the DHS designation and an ongoing commitment by local, state, and federal election officials is a step in the right direction. The knowledge and resources are available to ensure the right technology is coupled with the right practices to protect our election system. This will re-establish voter confidence in the U.S. election system.
The security of our elections isn’t confined to technology vulnerabilities alone. In 2016, Facebook and the Cambridge Analytica scandal highlighted Social Media’s impact on elections. No cybersecurity measures or controls can help protect against false information proliferating via social media.

We cannot let the potential of interference stop us from voting. We must exercise our right to vote to maintain its significant role in our democracy. Free and fair elections are the central pillar of our democracy.

Steve Tcherchian, CISSP
CISO and Director of Product
XYPRO Technology
www.xypro.com
@SteveTcherchian
@XYPROTechnology

Sources
https://fas.org/sgp/crs/misc/IF10677.pdf
—–
https://www.intelligence.senate.gov/sites/default/files/documents/os-jmanfra-062117.PDF
https://www.census.gov/data/tables/time-series/demo/voting-and-registration/p20-580.html
https://www.nass.org/sites/default/files/6.20.18-Senate%20Rules%20Testimony-2018Elections-CONDOS.pdf