Risk

9/11/2018
10:30 AM
Chris Wysopal
Chris Wysopal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Practical Measures to Improve Election Security Now

It's more critical than ever for states to protect our democratic system and voting infrastructure from foreign cyber espionage.

In the past, a midterm election season would pass without much fanfare. These have been torpid affairs with low voter turnout and few big-ticket issues, which historically has meant incumbents rather predictably hold their seats.

If midterms made for few headlines then, they're making up for it now. At the recent Black Hat and DEF CON conferences, election security was a foremost concern.

I was able to visit the DEF CON Voting Village, where actual voting machines were being hacked. But more importantly, there were independent experts and state government voting officials that you could talk to about the voting process.

States such as Colorado are making strides by moving to paper ballots, requiring risk-limiting audits, and providing resources to help cities and counties secure their election systems. There are some small districts in Colorado that are able to use Denver's election systems instead of trying to secure their own. Alas, there are many states that are not doing any of these things.

The discussions at DEF CON follow troubling revelations of information security around US elections.

Fortune reported that Microsoft uncovered that hackers allegedly associated with Russia's military "have launched spear-phishing campaigns against at least three candidates running for election in 2018." Though Microsoft declined to name the candidates or the states they are running in, it seems a safe bet that the pattern of targeting American elections via hacking and disinformation is not restricted to these few, and it's aimed at both Republicans and Democrats.

That's why it was welcome to learn that Deputy Attorney General Rod J. Rosenstein recently announced a policy to counter nation-state campaigns designed to undermine US democracy. The government will begin informing "companies, private organizations and individuals that they are being attacked" by threat actors intending to disrupt elections, according to The Washington Post.

What's at Stake?
That new policy is one sign that our government is taking a harder stance on cyber espionage and nation-state sabotage against our critical infrastructure. Another is a push for stronger and further-reaching penalties against hackers, including requesting their arrest by foreign authorities and seizure of their assets.

It is not only industrial systems and power plants that keep our country functioning, but also the democratic system and the voting infrastructure on which it relies. The harsher countermeasures to deter hacking against critical infrastructure should extend to our election processes. Even if votes aren't changed, the hacking of voting systems weakens trust in the democratic process.

Manipulation through election hacking is perhaps an even greater threat to society than attacks against physical infrastructure. It's easier for us to imagine the lights going out following a hack on an electrical grid than the erosion of voting privileges and civil discourse as a result of persistent cyber offensives.

We know voting machines can be hacked. We know cyber operations launched in Russia probed elections systems in at least 21 states and disrupted the 2016 presidential election, and that large-scale disinformation campaigns can influence the outcomes of democratic processes.

As with any complex problem, increasing the security of systems and tools around elections calls for a multilayered approach. The efforts toward transparency are important steps, but there are also practical measures we can begin enacting now:

Step 1: Greater investment in modernizing government tech. Government is always among the most targeted sectors, while also being the most out-of-date with software security. It lags well behind other industries in scanning applications for vulnerabilities. Government agencies still develop applications with older programming languages known to produce more vulnerabilities and are not always fixing the flaws they find. Strict adherence to regulatory practices prevents governments from being agile and gets in the way of a DevSecOps approach to development. States are pushing for greater federal funding for election security, rightfully arguing that it's a bipartisan issue. These resources can enable states to patch vulnerabilities, bolster cybersecurity staff, and replace outdated voting machines.

Step 2: Creating more secure software from the start. As companies create proprietary software and rely more on open source, there should be less tolerance of releasing software with critical or severe flaws. This is especially relevant to election security because federal, state, and local governments are some of the largest buyers of this software. If every company is a software company, the next evolution is that every company is a secure software company. This is best achieved by building security into the development life cycle early, when flaws are fixed more efficiently and about 30 times cheaper than after the software is released. If software that facilitates electronic voting has fewer flaws, it is less vulnerable to hacking. Software purchasers must scrutinize their supply chain to make sure they have a secure development and system life cycle.

Step 3: Latitude for security researchers. The pace of software development is rapid; developers face mounting pressure to build rich, feature-driven applications on nearly impossible timelines. It is unrealistic to accurately track vulnerabilities relying on the National Vulnerability Database alone. Finding and reporting vulnerabilities is time-consuming and difficult work but worth the time and investment, which is why security researchers should be considered increasingly valuable.

Step 4: Naming a new White House Cybersecurity Coordinator. Information sharing — between the public and private sector, within industry organizations, and between security researchers and vendors or public agencies — is critical. Since former White House cyber coordinator Rob Joyce left his post in April, the position remains vacant. A high-level cyber coordinator can facilitate information sharing on pressing cyber threats and drive cooperation between the State Department, intelligence agencies, the Department of Homeland Security, the Commerce Department, and other agencies.

Countering foreign cyber espionage, at a time when most software is vulnerable and states aren't well funded to protect elections while attackers are well financed and motivated, may seem insurmountable. It's difficult work, but we can make real progress with cooperation, shared goals, and transparency.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Chris Wysopal is chief technology officer at CA Veracode. He oversees technology strategy and information security. Prior to co-founding CA Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wa3gin
100%
0%
wa3gin,
User Rank: Apprentice
9/17/2018 | 6:40:00 PM
Pending Review
This comment is waiting for review by our moderators.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16958
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is...
CVE-2018-16959
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is ...
CVE-2018-16952
PUBLISHED: 2018-09-18
The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password).
CVE-2018-16953
PUBLISHED: 2018-09-18
The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response.
CVE-2018-16954
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login.