Risk

9/11/2018
10:30 AM
Chris Wysopal
Chris Wysopal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

4 Practical Measures to Improve Election Security Now

It's more critical than ever for states to protect our democratic system and voting infrastructure from foreign cyber espionage.



In the past, a midterm election season would pass without much fanfare. These have been torpid affairs with low voter turnout and few big-ticket issues, which historically has meant incumbents rather predictably hold their seats.

If midterms made for few headlines then, they're making up for it now. At the recent Black Hat and DEF CON conferences, election security was a foremost concern.

I was able to visit the DEF CON Voting Village, where actual voting machines were being hacked. But more importantly, there were independent experts and state government voting officials that you could talk to about the voting process.

States such as Colorado are making strides by moving to paper ballots, requiring risk-limiting audits, and providing resources to help cities and counties secure their election systems. There are some small districts in Colorado that are able to use Denver's election systems instead of trying to secure their own. Alas, there are many states that are not doing any of these things.

The discussions at DEF CON follow troubling revelations of information security around US elections.

Fortune reported that Microsoft uncovered that hackers allegedly associated with Russia's military "have launched spear-phishing campaigns against at least three candidates running for election in 2018." Though Microsoft declined to name the candidates or the states they are running in, it seems a safe bet that the pattern of targeting American elections via hacking and disinformation is not restricted to these few, and it's aimed at both Republicans and Democrats.

That's why it was welcome to learn that Deputy Attorney General Rod J. Rosenstein recently announced a policy to counter nation-state campaigns designed to undermine US democracy. The government will begin informing "companies, private organizations and individuals that they are being attacked" by threat actors intending to disrupt elections, according to The Washington Post.

What's at Stake?
That new policy is one sign that our government is taking a harder stance on cyber espionage and nation-state sabotage against our critical infrastructure. Another is a push for stronger and further-reaching penalties against hackers, including requesting their arrest by foreign authorities and seizure of their assets.

It is not only industrial systems and power plants that keep our country functioning, but also the democratic system and the voting infrastructure on which it relies. The harsher countermeasures to deter hacking against critical infrastructure should extend to our election processes. Even if votes aren't changed, the hacking of voting systems weakens trust in the democratic process.

Manipulation through election hacking is perhaps an even greater threat to society than attacks against physical infrastructure. It's easier for us to imagine the lights going out following a hack on an electrical grid than the erosion of voting privileges and civil discourse as a result of persistent cyber offensives.

We know voting machines can be hacked. We know cyber operations launched in Russia probed elections systems in at least 21 states and disrupted the 2016 presidential election, and that large-scale disinformation campaigns can influence the outcomes of democratic processes.

As with any complex problem, increasing the security of systems and tools around elections calls for a multilayered approach. The efforts toward transparency are important steps, but there are also practical measures we can begin enacting now:

Step 1: Greater investment in modernizing government tech. Government is always among the most targeted sectors, while also being the most out-of-date with software security. It lags well behind other industries in scanning applications for vulnerabilities. Government agencies still develop applications with older programming languages known to produce more vulnerabilities and are not always fixing the flaws they find. Strict adherence to regulatory practices prevents governments from being agile and gets in the way of a DevSecOps approach to development. States are pushing for greater federal funding for election security, rightfully arguing that it's a bipartisan issue. These resources can enable states to patch vulnerabilities, bolster cybersecurity staff, and replace outdated voting machines.

Step 2: Creating more secure software from the start. As companies create proprietary software and rely more on open source, there should be less tolerance of releasing software with critical or severe flaws. This is especially relevant to election security because federal, state, and local governments are some of the largest buyers of this software. If every company is a software company, the next evolution is that every company is a secure software company. This is best achieved by building security into the development life cycle early, when flaws are fixed more efficiently and about 30 times cheaper than after the software is released. If software that facilitates electronic voting has fewer flaws, it is less vulnerable to hacking. Software purchasers must scrutinize their supply chain to make sure they have a secure development and system life cycle.

Step 3: Latitude for security researchers. The pace of software development is rapid; developers face mounting pressure to build rich, feature-driven applications on nearly impossible timelines. It is unrealistic to accurately track vulnerabilities relying on the National Vulnerability Database alone. Finding and reporting vulnerabilities is time-consuming and difficult work but worth the time and investment, which is why security researchers should be considered increasingly valuable.

Step 4: Naming a new White House Cybersecurity Coordinator. Information sharing — between the public and private sector, within industry organizations, and between security researchers and vendors or public agencies — is critical. Since former White House cyber coordinator Rob Joyce left his post in April, the position remains vacant. A high-level cyber coordinator can facilitate information sharing on pressing cyber threats and drive cooperation between the State Department, intelligence agencies, the Department of Homeland Security, the Commerce Department, and other agencies.

Countering foreign cyber espionage, at a time when most software is vulnerable and states aren't well funded to protect elections while attackers are well financed and motivated, may seem insurmountable. It's difficult work, but we can make real progress with cooperation, shared goals, and transparency.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Chris Wysopal is chief technology officer at CA Veracode. He oversees technology strategy and information security. Prior to co-founding CA Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
wa3gin
100%
0%
wa3gin,
User Rank: Apprentice
9/17/2018 | 6:40:00 PM
The Election Process 4 Practical Measures...
Thank You for you artilce.  

In a prior life I was the CISO of Arlington County, VA.  In that county we have a non-profit FM-LP radio station WERA that has a weekly program dedicated to Practical Cyber Security.  I have co-hosted a few programs.  

We did an in-depth review of the voting process in the State of Virginia and those three 30 min programs are ON-DEMAND on MIX-CLOUD or you can go to www.practicalsecurityradio.com to get links to stream the programs.  One program was dedicate to the hardware usedv and the other two were interviews with the deputy registrar of Arlington. These are pure content and commercial free programs.  They are eye-openers for people who are clueless about how the wheels turn in local and state government elections! I'd hope you and your readers will listen to these programs to get a fair and accurate view of how the process actually works.

The DEFCON spin about hacking the laptops is not helpful. Those were surplused PCs no longer used and for hackers to gain access to the actual PCs used they would have to crash through the school gym walls where the voters were standing in line to gain access.  

On Voting Day, during the voting process those PCs are basically just tabulators, counting votes. The totals at the voting booths at the gym are called into the registrar's office, the PCs are never connected to the Internet.  The Registrar collects the totals and phones those into the State.  At no time do these PCs touch the Internet during the election process.

Sadly, it is valid that State databases can be hacked and data currupted. But that doesn't ruin the election because if you and I have our names removed  or currupted we can always use  a written form to cast our vote and it will be counted.  This is called a provisional vote. I used one last year because I moved from one city to a county.

Now it is true that the State databases are not 100% accurate and this occurs due to the nature of the process; because people move from state to state.  There is no fool-proof process to track constituent movement between states.  If you leave California and settle in UTAH. Then register in UTAH, you can vote in UTAH however your name is still in the California database.  Some states have a check-box at the bottom of voter registration forms that allow you to say what state you left.  If you check that box your current state will notify the state you left... however, this process is not provisioned across all the states.  If you are in the military for example you could very well be in several state databases, however, you can only realistically vote in the state where you are currently a resident.  I suppose if you had three addresses in three states whose boundaries were within driving distance you could drive to all three and try to vote if you maintained those addresses in your name and paid taxes, etc.... so your two extra votes would not come close to effecting the national election!

I would add a fifth measure to your four, that being all states require registrants to indicate what state they left. At least that way the politicians can't claim there are thousands of people registered in multiple places, etc.

Thanks again for the article.

 

 

 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.
CVE-2018-17322
PUBLISHED: 2018-09-22
Cross-site scripting (XSS) vulnerability in index.php/index/category/index in YUNUCMS 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the area parameter.
CVE-2018-14889
PUBLISHED: 2018-09-21
CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability.
CVE-2018-14890
PUBLISHED: 2018-09-21
Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console.
CVE-2018-14891
PUBLISHED: 2018-09-21
Management Console in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local privilege escalation vulnerability.