Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Chris Wysopal
Chris Wysopal
Connect Directly
E-Mail vvv

4 Practical Measures to Improve Election Security Now

It's more critical than ever for states to protect our democratic system and voting infrastructure from foreign cyber espionage.

In the past, a midterm election season would pass without much fanfare. These have been torpid affairs with low voter turnout and few big-ticket issues, which historically has meant incumbents rather predictably hold their seats.

If midterms made for few headlines then, they're making up for it now. At the recent Black Hat and DEF CON conferences, election security was a foremost concern.

I was able to visit the DEF CON Voting Village, where actual voting machines were being hacked. But more importantly, there were independent experts and state government voting officials that you could talk to about the voting process.

States such as Colorado are making strides by moving to paper ballots, requiring risk-limiting audits, and providing resources to help cities and counties secure their election systems. There are some small districts in Colorado that are able to use Denver's election systems instead of trying to secure their own. Alas, there are many states that are not doing any of these things.

The discussions at DEF CON follow troubling revelations of information security around US elections.

Fortune reported that Microsoft uncovered that hackers allegedly associated with Russia's military "have launched spear-phishing campaigns against at least three candidates running for election in 2018." Though Microsoft declined to name the candidates or the states they are running in, it seems a safe bet that the pattern of targeting American elections via hacking and disinformation is not restricted to these few, and it's aimed at both Republicans and Democrats.

That's why it was welcome to learn that Deputy Attorney General Rod J. Rosenstein recently announced a policy to counter nation-state campaigns designed to undermine US democracy. The government will begin informing "companies, private organizations and individuals that they are being attacked" by threat actors intending to disrupt elections, according to The Washington Post.

What's at Stake?
That new policy is one sign that our government is taking a harder stance on cyber espionage and nation-state sabotage against our critical infrastructure. Another is a push for stronger and further-reaching penalties against hackers, including requesting their arrest by foreign authorities and seizure of their assets.

It is not only industrial systems and power plants that keep our country functioning, but also the democratic system and the voting infrastructure on which it relies. The harsher countermeasures to deter hacking against critical infrastructure should extend to our election processes. Even if votes aren't changed, the hacking of voting systems weakens trust in the democratic process.

Manipulation through election hacking is perhaps an even greater threat to society than attacks against physical infrastructure. It's easier for us to imagine the lights going out following a hack on an electrical grid than the erosion of voting privileges and civil discourse as a result of persistent cyber offensives.

We know voting machines can be hacked. We know cyber operations launched in Russia probed elections systems in at least 21 states and disrupted the 2016 presidential election, and that large-scale disinformation campaigns can influence the outcomes of democratic processes.

As with any complex problem, increasing the security of systems and tools around elections calls for a multilayered approach. The efforts toward transparency are important steps, but there are also practical measures we can begin enacting now:

Step 1: Greater investment in modernizing government tech. Government is always among the most targeted sectors, while also being the most out-of-date with software security. It lags well behind other industries in scanning applications for vulnerabilities. Government agencies still develop applications with older programming languages known to produce more vulnerabilities and are not always fixing the flaws they find. Strict adherence to regulatory practices prevents governments from being agile and gets in the way of a DevSecOps approach to development. States are pushing for greater federal funding for election security, rightfully arguing that it's a bipartisan issue. These resources can enable states to patch vulnerabilities, bolster cybersecurity staff, and replace outdated voting machines.

Step 2: Creating more secure software from the start. As companies create proprietary software and rely more on open source, there should be less tolerance of releasing software with critical or severe flaws. This is especially relevant to election security because federal, state, and local governments are some of the largest buyers of this software. If every company is a software company, the next evolution is that every company is a secure software company. This is best achieved by building security into the development life cycle early, when flaws are fixed more efficiently and about 30 times cheaper than after the software is released. If software that facilitates electronic voting has fewer flaws, it is less vulnerable to hacking. Software purchasers must scrutinize their supply chain to make sure they have a secure development and system life cycle.

Step 3: Latitude for security researchers. The pace of software development is rapid; developers face mounting pressure to build rich, feature-driven applications on nearly impossible timelines. It is unrealistic to accurately track vulnerabilities relying on the National Vulnerability Database alone. Finding and reporting vulnerabilities is time-consuming and difficult work but worth the time and investment, which is why security researchers should be considered increasingly valuable.

Step 4: Naming a new White House Cybersecurity Coordinator. Information sharing — between the public and private sector, within industry organizations, and between security researchers and vendors or public agencies — is critical. Since former White House cyber coordinator Rob Joyce left his post in April, the position remains vacant. A high-level cyber coordinator can facilitate information sharing on pressing cyber threats and drive cooperation between the State Department, intelligence agencies, the Department of Homeland Security, the Commerce Department, and other agencies.

Countering foreign cyber espionage, at a time when most software is vulnerable and states aren't well funded to protect elections while attackers are well financed and motivated, may seem insurmountable. It's difficult work, but we can make real progress with cooperation, shared goals, and transparency.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Chris Wysopal is chief technology officer at CA Veracode. He oversees technology strategy and information security. Prior to co-founding CA Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/17/2018 | 6:40:00 PM
The Election Process 4 Practical Measures...
Thank You for you artilce.  

In a prior life I was the CISO of Arlington County, VA.  In that county we have a non-profit FM-LP radio station WERA that has a weekly program dedicated to Practical Cyber Security.  I have co-hosted a few programs.  

We did an in-depth review of the voting process in the State of Virginia and those three 30 min programs are ON-DEMAND on MIX-CLOUD or you can go to www.practicalsecurityradio.com to get links to stream the programs.  One program was dedicate to the hardware usedv and the other two were interviews with the deputy registrar of Arlington. These are pure content and commercial free programs.  They are eye-openers for people who are clueless about how the wheels turn in local and state government elections! I'd hope you and your readers will listen to these programs to get a fair and accurate view of how the process actually works.

The DEFCON spin about hacking the laptops is not helpful. Those were surplused PCs no longer used and for hackers to gain access to the actual PCs used they would have to crash through the school gym walls where the voters were standing in line to gain access.  

On Voting Day, during the voting process those PCs are basically just tabulators, counting votes. The totals at the voting booths at the gym are called into the registrar's office, the PCs are never connected to the Internet.  The Registrar collects the totals and phones those into the State.  At no time do these PCs touch the Internet during the election process.

Sadly, it is valid that State databases can be hacked and data currupted. But that doesn't ruin the election because if you and I have our names removed  or currupted we can always use  a written form to cast our vote and it will be counted.  This is called a provisional vote. I used one last year because I moved from one city to a county.

Now it is true that the State databases are not 100% accurate and this occurs due to the nature of the process; because people move from state to state.  There is no fool-proof process to track constituent movement between states.  If you leave California and settle in UTAH. Then register in UTAH, you can vote in UTAH however your name is still in the California database.  Some states have a check-box at the bottom of voter registration forms that allow you to say what state you left.  If you check that box your current state will notify the state you left... however, this process is not provisioned across all the states.  If you are in the military for example you could very well be in several state databases, however, you can only realistically vote in the state where you are currently a resident.  I suppose if you had three addresses in three states whose boundaries were within driving distance you could drive to all three and try to vote if you maintained those addresses in your name and paid taxes, etc.... so your two extra votes would not come close to effecting the national election!

I would add a fifth measure to your four, that being all states require registrants to indicate what state they left. At least that way the politicians can't claim there are thousands of people registered in multiple places, etc.

Thanks again for the article.



Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.