Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Securing Our Elections Requires Change in Technology, People & Attitudes

Increasing security around our election process and systems will take a big effort from many different parties. Here's how.

The security of our elections is top of mind for practically every voter in the US. With the state primaries underway, all eyes are on our electronic (and in some cases mobile) voting systems to understand if malicious attacks are happening — and if our systems are able to defend against them. Most experts agree that we are unprepared and underfunded when it comes to securing our elections — which should concern us all.

A big problem is that when we look at the entire ecosystem of the national election process, we don't treat it the same way we treat business systems. This is a mistake. Voting is a business of our state governments. And the most valuable asset for states is voter information — similar to the customer information and data assets of a for-profit business (which are increasingly safeguarded by data privacy regulations). To modernize our current model of election management, trust, and security, it's important to examine three interrelated pillars for state governments: technology, people, and attitudes.

1. Technology: Making Cybersecurity More Proactive
To address the growing security threats that many players in the broader election system ecosystem face, proactive cybersecurity technology and policy must take center stage in three important ways:

Cybersecurity hygiene of individual companies and agencies
Greater transparency and data-driven assessments of election system hardware and software providers should be mandated in order to measure each company's cybersecurity hygiene against an established baseline. In addition, there needs to be increased monitoring of the deployment and implementation of technology in state and local election systems to ensure that misconfigurations aren't creating additional vulnerabilities.

A "layered defense" approach to cybersecurity
Given the complicated, interdependent nature of government systems and databases, security measures should be established to minimize the likelihood of an attack — particularly from internal staff. For example, an ill-intentioned employee could access and hack a state voter registration database through a vulnerability in the Department of Motor Vehicles network. Implementation of a layered defense approach and incorporating a "least privileged principle" that limits an individual's access to only very specific parts of a network or election system makes internal access more difficult and successful hacking more unlikely.

Ongoing validation of effectiveness of security controls
As is true in the business world, any government agency or organization playing a role in the election ecosystem cannot afford to assume that established security technology and protocols always work as they're supposed to. With such a complex array of interrelated software elements from multiple vendors, each with different settings and procedures, and with continually changing network and access protocols, ongoing changes in the IT environment – what I call "environmental drift" — can negatively affect security performance. When left unchecked, there is tremendous risk that security controls will not provide the necessary defenses when an attack occurs. Frequent and regular evaluations to validate the effectiveness of security controls should be a key component of the overall process.

2. People: New Roles and Relationships for the state CIO and CISO
Typically, the role of chief elections officer is filled by the secretary of state, who oversees testing and certifying all voting equipment for security, accuracy, reliability, and accessibility. States also have a CIO and a CISO, but they don't currently have a formal direct working relationship with the secretary of state or state elections commissions. I believe that they should — especially now, with the prominence of e-voting. State CIOs and CISOs can be of tremendous value to the secretary of state and election commissions in helping them understand the evolving cybersecurity threat landscape, while tracking its potential threat impact on a daily basis.

Governors should also have cyber-protection teams that know how to scan the environment for the bad guys and look for flaws, before an attack occurs. The right place for this cybersecurity resource to exist and collaborate with the state CIO and CISO would be in "Fusion Centers" set up to deal with any kind of emergency, regardless of origin. I have seen this work already underway in Michigan, Virginia, Rhode Island, and Louisiana, and believe other states should follow their lead.

3. Attitudes: Moving from Naivete to Thoughtful Experimentation
There are several attitude challenges that we face today. While most state and local governments understand that threats are out there and vulnerabilities exist, they don't understand their nature or magnitude, or how best to address them. At the local level, there is often a perception that individual precincts are too small to be viable targets. In a democracy where every vote must count, a broader mindset is required. And when security technology is brought in as the solution, there is too often an overreliance placed on it and a false assumption that it's working as it's supposed to in order to protect election integrity. When cyber hygiene is one of the top priorities in business organizations today, why should state/local election systems be different?

There are forward-looking states experimenting with electronic and mobile voting to reflect current technology and cultural change — with a dual purpose of deterring voter fraud and boosting voter turnout. Initiatives and experiments to enable people to vote by mobile phone — anywhere, anytime — require deep attention to proactive cybersecurity and digital identity. In the 2018 midterm elections, West Virginia became the first state to introduce purely online voting for overseas military voters with a mobile app that used blockchain technology, with identity authentication through a fingerprint or facial recognition. With the security concerns inherent to this kind of experiment, more research should be done and trials conducted to make mobile voting a more viable way for people to vote. 

From Ideas to Action
To increase trust, accountability, and security around our election process and systems, it will take a combined and concerted effort from many different parties — on both the state and local government side as well as from the technology community. State governments and election officials should take the lead, but others involved in the process share an equal responsibility — from the federal government and technology companies in both the election systems and cybersecurity spaces, all the way down to individual citizens. Only when we all come together can we ensure that every vote counts.

Related Content:


Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.