As efforts to modernize and digitize outdated and aging elections infrastructure take hold across the U.S., the demand for a revolutionized approach to cybersecurity has become an increasing imperative. Democratic nations rely on public trust in the integrity of their institutions and in a republic with the guiding principles of government “of the people, by the people and for the people.” There is perhaps a no more important system that that of free, fair, and secure elections.
As we move deep into the digital era, societies have come to expect innovation in every aspect of their lives. And while governments have often been slower to respond to this reality, innovations to elections systems are beginning to appear, such as mobile vote centers, digital pollbooks, QR code-based ballots, and even remote voting through mobile applications.
Adoption of these new technologies has the potential to bring many benefits, including an improved voter experience and increase individual participation in the democratic process through enhanced access to cast a ballot. However, digital-enabled network and cloud-supported architectures introduce new and unique challenges, particularly in the area of cybersecurity.
Consider the realities of elections operations that create potential vulnerabilities and opportunities for exploitation:
- Infrastructure is often stood up rapidly, on-demand and used only for very short intervals of time.
- Supporting physical and network infrastructure is frequently leased or borrowed from various disparate entities (schools, libraries, government offices) and traffic may be routed across various untrusted networks.
- Many poll workers and support staff are temporary contractors or volunteers (whose qualifications vary greatly by state) and may be trained insufficiently.
- Voting machines and supporting infrastructure (routers, switches, firewalls, etc.) can spend significant amounts of time in storage and then are quickly deployed; sometimes passing through multiple hands, creating possible chain-of-custody challenges.
- Physical safeguards of polling stations are difficult to scale and cost prohibitive.
Addressing these and other challenge begins with sound risk management strategies that align government focus, limited budgets, and time constraints to the areas of greatest positive impact.
Let’s start with some good framing questions.
What are the risks? Vulnerabilities? Threats?
Understanding the risks to election operations is key. Unfortunately, all too often public focus is unduly placed or heavily weighted on hackers, external threat actors, and hostile nation states. In reality, one of the biggest threats to an election is a lack of public confidence in the veracity of the results; in other words, perception. Basic security violations can do just as much, if not more, harm than a foreign threat actor and are more likely to occur. To combat these threats, stay focused on building a system that reinforces security fundamentals like integrity, audibility, accountability, non-repudiation and verifiable chain-of-custody.
What are the regulatory mandates, and can we go further with security best practices?
The Department of Homeland Security (DHS) designates elections systems as critical infrastructure; which mandates a host of regulatory standards and guidelines that must be adhered to or at least evaluated for applicability. It’s important to understand how the NIST guidelines and CIS v7, for example, address the development of your controls and the entire security program, but look for opportunities to go further with industry best practices. Not only is this good fiduciary duty, it recognizes the fact that security “compliance” should not be the end goal.
The threat landscape is continually evolving; in some cases, faster than industry standards can be updated and implemented. Solving these challenges requires building cross-functional teams, compromised of both regulatory (governance, risk, compliance) experts, security architects, and network engineers, and then empowering them to work collaboratively with elections operations teams in identifying evolving risk mitigation strategies that align with standards and push for higher security levels where appropriate.
Is the architecture defensible?
Elections infrastructure should be limited in scope to systems used strictly to support elections and not interconnected with other government systems or business networks. Physical and logical separation (segmentation) are challenging to achieve but the upfront effort will make defending the system easier in the end. Tightening and limiting the IT footprint not only makes regulatory and security compliance more achievable; it eases control complexity, simplifies traffic and data flows, and reduces noise in the system that could complicate monitoring for abnormalities, policy violations, and malicious activity during the election event.
Understanding expected traffic patterns, implementing controls that enforce your policies, and adding in detection and prevention capabilities ought to be fundamental. To be defensible, all of this must be manageable from a platform that offers full visibility, in near real-time, to all network and application activity and has advanced correlation with internal network activity and advanced external threat intelligence.
Are 3rd party suppliers and vendors and clouds introducing unforeseen risk?
Choose partners and suppliers wisely and approach vendor risk methodically with rigor. A chain is only as good as its weakest link, and so it is with interconnected systems. Vendors should demonstrate cybersecurity maturity levels across their operations consistent with the elections system itself, otherwise they will have lowered the security of the entire system. As an example, poor human resources security (like lack of continuous background checks) might enable a hostile insider access to the election system that could be used to compromise the integrity of the entire operation.
Additionally, it’s not safe to assume that any elections systems vendor is practicing sound security principles in their operations just because the election product itself is “certified” or because it has been marketed aggressively to the industry. Look beyond the product and incorporate a broader assessment of the organization. For a vendor to be a trusted, demand full transparency of their environment and be on guard for any push back or claims of “proprietary information” that create barriers to understanding how their technology operates under the hood.
At a minimum, practice sound vendor management by providing that a vendor’s master service agreement requires appropriate security maturity levels and include written legal authorization to verify any and all controls. Negotiating these terms up front can help mitigate a wide range of security challenges and prevent misalignment of expectations as the vendor’s technology is integrated into the ecosystem.
The cybersecurity community must rise to the challenge of offering solutions that meet the demands of the coming revolution and risks of disruption of traditional voting models. The constant drum beat of data breaches serves as a warning that the task is not easy. Local governments and communities will need to invest heavily in order to build teams that are empowered to develop a mature election cybersecurity ecosystem. These start with some of the basics mentioned here but ultimately will require creating an organizational culture attuned to security awareness and risk mindfulness at all levels.