It's more critical than ever for states to protect our democratic system and voting infrastructure from foreign cyber espionage.

Chris Wysopal, Chief Technology Officer, Veracode

September 11, 2018

5 Min Read

In the past, a midterm election season would pass without much fanfare. These have been torpid affairs with low voter turnout and few big-ticket issues, which historically has meant incumbents rather predictably hold their seats.

If midterms made for few headlines then, they're making up for it now. At the recent Black Hat and DEF CON conferences, election security was a foremost concern.

I was able to visit the DEF CON Voting Village, where actual voting machines were being hacked. But more importantly, there were independent experts and state government voting officials that you could talk to about the voting process.

States such as Colorado are making strides by moving to paper ballots, requiring risk-limiting audits, and providing resources to help cities and counties secure their election systems. There are some small districts in Colorado that are able to use Denver's election systems instead of trying to secure their own. Alas, there are many states that are not doing any of these things.

The discussions at DEF CON follow troubling revelations of information security around US elections.

Fortune reported that Microsoft uncovered that hackers allegedly associated with Russia's military "have launched spear-phishing campaigns against at least three candidates running for election in 2018." Though Microsoft declined to name the candidates or the states they are running in, it seems a safe bet that the pattern of targeting American elections via hacking and disinformation is not restricted to these few, and it's aimed at both Republicans and Democrats.

That's why it was welcome to learn that Deputy Attorney General Rod J. Rosenstein recently announced a policy to counter nation-state campaigns designed to undermine US democracy. The government will begin informing "companies, private organizations and individuals that they are being attacked" by threat actors intending to disrupt elections, according to The Washington Post.

What's at Stake?
That new policy is one sign that our government is taking a harder stance on cyber espionage and nation-state sabotage against our critical infrastructure. Another is a push for stronger and further-reaching penalties against hackers, including requesting their arrest by foreign authorities and seizure of their assets.

It is not only industrial systems and power plants that keep our country functioning, but also the democratic system and the voting infrastructure on which it relies. The harsher countermeasures to deter hacking against critical infrastructure should extend to our election processes. Even if votes aren't changed, the hacking of voting systems weakens trust in the democratic process.

Manipulation through election hacking is perhaps an even greater threat to society than attacks against physical infrastructure. It's easier for us to imagine the lights going out following a hack on an electrical grid than the erosion of voting privileges and civil discourse as a result of persistent cyber offensives.

We know voting machines can be hacked. We know cyber operations launched in Russia probed elections systems in at least 21 states and disrupted the 2016 presidential election, and that large-scale disinformation campaigns can influence the outcomes of democratic processes.

As with any complex problem, increasing the security of systems and tools around elections calls for a multilayered approach. The efforts toward transparency are important steps, but there are also practical measures we can begin enacting now:

Step 1: Greater investment in modernizing government tech. Government is always among the most targeted sectors, while also being the most out-of-date with software security. It lags well behind other industries in scanning applications for vulnerabilities. Government agencies still develop applications with older programming languages known to produce more vulnerabilities and are not always fixing the flaws they find. Strict adherence to regulatory practices prevents governments from being agile and gets in the way of a DevSecOps approach to development. States are pushing for greater federal funding for election security, rightfully arguing that it's a bipartisan issue. These resources can enable states to patch vulnerabilities, bolster cybersecurity staff, and replace outdated voting machines.

Step 2: Creating more secure software from the start. As companies create proprietary software and rely more on open source, there should be less tolerance of releasing software with critical or severe flaws. This is especially relevant to election security because federal, state, and local governments are some of the largest buyers of this software. If every company is a software company, the next evolution is that every company is a secure software company. This is best achieved by building security into the development life cycle early, when flaws are fixed more efficiently and about 30 times cheaper than after the software is released. If software that facilitates electronic voting has fewer flaws, it is less vulnerable to hacking. Software purchasers must scrutinize their supply chain to make sure they have a secure development and system life cycle.

Step 3: Latitude for security researchers. The pace of software development is rapid; developers face mounting pressure to build rich, feature-driven applications on nearly impossible timelines. It is unrealistic to accurately track vulnerabilities relying on the National Vulnerability Database alone. Finding and reporting vulnerabilities is time-consuming and difficult work but worth the time and investment, which is why security researchers should be considered increasingly valuable.

Step 4: Naming a new White House Cybersecurity Coordinator. Information sharing — between the public and private sector, within industry organizations, and between security researchers and vendors or public agencies — is critical. Since former White House cyber coordinator Rob Joyce left his post in April, the position remains vacant. A high-level cyber coordinator can facilitate information sharing on pressing cyber threats and drive cooperation between the State Department, intelligence agencies, the Department of Homeland Security, the Commerce Department, and other agencies.

Countering foreign cyber espionage, at a time when most software is vulnerable and states aren't well funded to protect elections while attackers are well financed and motivated, may seem insurmountable. It's difficult work, but we can make real progress with cooperation, shared goals, and transparency.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Read more about:

Black Hat News

About the Author(s)

Chris Wysopal

Chief Technology Officer, Veracode

Chris Wysopal is Chief Technology Officer at Veracode. He oversees technology strategy and information security. Prior to co-founding Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec.

In the 1990's, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software.

Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

Chris is often called upon to download the latest Minecraft mods for his son. An avid photographer and nature-lover, Chris spends his free time hiking the many conservation trails near his home outside Boston.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights