Vulnerabilities / Threats

7/26/2018
01:55 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

8 Steps Toward Safer Elections

Here's some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.
Previous
1 of 10
Next

Image Source: Shutterstock via Artist_R

Image Source: Shutterstock via Artist_R

It's time to think of securing elections the same way we think about securing our businesses and government agencies. Election systems, like all other entities today, are open to cyberattack. So election and government officials have to learn from their corporate counterparts and put a plan in place to achieve a successful election.

"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk’s Office in Illinois. In an April 16 email sent out to his election colleagues in Illinois, Praetz outlined some best practices and options for local elections officials.

"What we need more than anything are professional security people, boots on the ground who can help institute best practices," Praetz says.

The federal Election Assistance Commission made available $380 million earlier this year for states to improve and modernize their election systems. But Praetz cautions that EAC only allocated funding for this year under the Help America Vote Act of 2002. He says much more is needed over successive years to deliver what’s needed to the nation’s 8,800 election districts.

While it's unclear that more financial help will be authorized beyond this year, the Department of Homeland Security has been more open in the past several weeks about the need for increased election security leading up to November's Congressional elections.

In testimony earlier this week before the House Committee on Oversight and Government Reform, undersecretary Christopher C. Krebs told lawmakers that DHS has prioritized voluntary cybersecurity assistance for election infrastructure similar to what's provided to numerous other sectors that have been designated as critical infrastructure, such as the financial sector, defense industry, and electric utilities. DHS designated election infrastructure a critical subsector in January 2017. 

Krebs said DHS has been working with the EAC and other state and local partners to strengthen the security of election systems nationwide, noting in his testimony that DHS will continue to offer a broad range of services, such as cybersecurity hygiene scans, risk and vulnerability assessments, and incident response assistance.

The EAC money has served as a good start, but there are thousands of election districts across the country that are lucky to have one IT support person, let alone a $250,000-a-year threat hunter with a CISSP or other important security credentials. While DHS and other groups are available to help, there’s insufficient support for a much stronger national effort.

A comment from Maria Benson, communications director of the National Association of Secretaries of State, gives some insight into how difficult it would be to forge a national effort. When asked what the status was in Washington of developing a national set of guidelines for election security, Benson replied: "I do not have an opinion, nor does the association. Each state has the authority to decide how to run elections in a secure, fair manner."

In contrast, Harri Hursti, participant in the Voting Machine Hacking Village at DEFCON last year, and Cecile Shea, non-resident senior fellow for global security and diplomacy at the Chicago Council on Global Affairs, say there should be a much stronger effort at the federal level. Both Hursti and Shea say national guidelines can be developed in a way that offers states technology options, but still gives local districts control and the ability to do what suits them best.

For now, a group of Democratic Senators last month introduced the Protecting American Votes and Elections Act, legislation headed up by Sen. Ron Wyden (D-Ore.) that would require states to produce paper trails and mandatory audits. If passed into law, the bill would authorize $10 million to study, test, and develop accessible paper ballot voting, verification, casting mechanisms and devices, and voting best practices. The bill has only Democratic sponsors and no support from Republicans.

That's why Dark Reading took some time and talked to numerous state and local and industry officials to develop a feature that outlines some proactive steps governments (and private citizens) can take to make their elections this November more secure.

We talked to the following sources: Noah Praetz, director of elections, Cook County, Ill., Dr. Eman El-Sheikh, director of the Center for Cybersecurity, University of West Florida, Harri Hursti, a leader in the DEFCON election hacking effort, and Cecile Shea of the Chicago Council on Global Affairs. We also reached out and compiled valuable information via email with Harvard University's Belfer Center for Science and International Affairs, the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the Brennan Center for Justice, and Sen. Wyden's office in Washington, D.C.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 10
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BanduraCSO
50%
50%
BanduraCSO,
User Rank: Author
8/14/2018 | 6:58:04 AM
Threat Intelligence
This article hits on a number of important points.  Part of this is basic cyber hygiene practices and it's not clear to me why the election networks themselves should be connected to the public Internet.  Threat intelligence and information sharing are very important.  We are seeing TI and info sharing become more important in guidelines like NIST Cyber Security Framework.  As the article points out a lack of skilled security staff is a challenge.  There is a newer technology called a Threat Intelligence Gateway (TIG) that gives you access to significant amounts of threat intelligence, enables you to integrate ISAC and other TI sources, and allows you to make use of TI to protect your network.  The cool thing about the TIG is that it enables organizations to access and act with enterprise grade TI without needing an army of security analysts.
rcash
50%
50%
rcash,
User Rank: Apprentice
8/2/2018 | 12:00:30 PM
Illinois and election integrity are mutually exclusive terms
"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk's Office in Illinois

When 130% more people vote in Cook county than are actually alive one could be preplexed with priorities.
  • Secure voter registration and validate the roles
  • Secure integrity with auditable chain of custody
  • Secure and isolate voting machines from tampering, verifiably.
  • TRAIN the poll personnel on best practices and validate their skills! 
  • Bring in accounting oversight at every step.

These are a few of my favorite things.
orderhangtrungquoc1221
50%
50%
orderhangtrungquoc1221,
User Rank: Apprentice
8/2/2018 | 9:48:47 AM
Re: Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
tks for share
szurier210
50%
50%
szurier210,
User Rank: Apprentice
7/30/2018 | 3:32:06 PM
Re: Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
Thanks very much Robert for your long comments. I don't have the answer but my expansive hope was that this story would generate some good discussion and sharing of ideas. I just think given the current state of politics in Washington a solution won't come from Washington. Average citizens, state and local governments and security people who know how to solve at least the technical issues need to be more vocal. 
bobfrank
100%
0%
bobfrank,
User Rank: Apprentice
7/27/2018 | 7:10:47 PM
Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
Outstanding article! Unfortunately, it is just the latest in hundreds of valid articles about U.S. failures to provide trustworthy elections.  Just do web searches on "election fraud" and "elections integrity" to see some of them. 

This is a much more complex issue than the typical "voter fraud" component focused on just the voter registration elements.  Even if a 100% accurate voter registration system was implemented where only valid U.S. Citizens could register, that element would miss the most urgent need for end-to-end audit trails, chain-of-custody records and appropriate background checks on those allowed access to voting machines and within the ballot processing system.

In Nevada, our citizens task force composed of professionals has worked for almost a decade trying to stimulate interest in "Trustworthy Elections" by all levels of government and by both political parties. Check out my profile for my past expertise.

We have demonstrated that "Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!"

But, so far, we have been unable to get leading government officials to make any significant improvements.  And, detected government failures and suspected fraud is never prosecuted by District Attorneys because they are prohibited from investigating the evidence.

Conduct a web search on "NevadansCAN elections integrity some voting machines allow remote access" to find some of our exhaustive research, documentation and Nevada court hearing records up through the Nevada  Supreme Court on this vital issue. 

We have tried often to amend Nevada statutes to require independent audits of the systems components before, during and after elections (proposed to be done by accredited members of the Association of Certified Fraud Examiners), but leaders of both political parties at all levels have refused to cooperate.  Imaginie if our society refused to have such certified fraud examiner reviews of banking records and government secrets! How could we trust the financial institutions?

Find some of our legislative video testimony by searching on YouTube with the words "elections integrity robert frank"

We have twice contested elections in state courts the results of the Nevada Elections System by following statutes and appealed one particularly improper ruling at the district level to the Nevada Supreme Court and been summarily dismissed. 

The President's and Vice President's federal commission on elections integrity was sabotaged and had to be terminated because of opposition by both parties.  The Federal Elections Commission and Elections Assistance Commission refuse to ensure that at least the federal elections are conducted on trustworthy systems and are independently audited by unconflicted fraud examiners. 

Does anyone have a viable way to "fix" this problem of untrustworthy election systems?  We have exhausted our list of possible ideas for action.  

Robert Frank, Chair, NevadansCAN.com, Las Vegas, Nevada
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.
CVE-2018-20051
PUBLISHED: 2018-12-10
Mishandling of '>' on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via certain ONVIF methods such as CreateUsers, SetImagingSettings, GetStreamUri, and so on.
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.