The 2018 Election is still five months away, but there has been no shortage of effort on the part of local, state and federal officials to ensure every ballot cast is legitimate and voters are not being intentionally spoofed by news planted by the nation's enemies.
The U.S Election Assistance Commission has set aside more than $380 million to fund security measures, while on the local level events like New York State's Board of Elections in conjunction with the Department of Homeland Security are holding drills throughout the state to help prevent any cyber intrusion during the electoral process.
To help bolster these efforts SC Media thought it would be a great idea to reach out and ask those in the public sector for some advice on what the country needs to do to secure the election.
1. Anthony James, CMO, CipherCloud:
- All access to the vendor voting systems by any party must be two-factor authenticated, without exception.
- Paper audit trails must exist in the event of cyberattack.
- Vendors that supply voting systems must notify all relevant parties within 72 hours of a suspected cyberattack.
- Penetration test your selected vendor's voting systems using an independent tester and then request necessary remediation from the voting system vendor.
- Plan on a rapid update cycle for patches and software that is required to support the integrity and security of the systems.
2. Joseph Carson, chief security scientist, Thycotic:
“It is critical to keep the upcoming fall election secure from voting manipulation and nation-state espionage in order to return confidence back to the citizens of the USA. Ways to protect the voting is to utilize blockchain that maintains the integrity of the votes, ensure that no tampering can be made once a citizens vote has been cast, this will ensure a level of confidence in the results that can also prevent any tampering not only from foreign state actors but also the US government themselves. This is one of the best methods in bring confidence back into the voting system and return unilateral support for the current government.”
3. Anupam Sahai, VP of product management, Cavirin:
“The NIST Cybersecurity Framework provides the basis for the steps required to secure an organization's cyber posture. The same steps used by enterprises – setting goals, assessing one's current state, analyzing gaps and how to close them, and then implementing an action plan – can and should be leveraged by every election jurisdiction. And the 8,800 or so of these districts must share information on best practices and challenges overcome.”
4. Rishi Bhargava, Co-founder of Demisto:
“Training and awareness for government employees and election officials will be paramount. Teams should conduct multiple penetration testing and tabletop exercises in the lead-up to the election, navigating through any potential attack scenario that might occur. These tests should involve identifying spear phishing attacks, responding to compromised voting devices, and testing the on-site router firewalls.”
5. Rusty Carter, VP, Arxan Technologies:
There are so many attack vectors for elections, but the first area of focus needs to be protecting the security of the vote itself. States employing electronic voting need to look carefully at the security of the technology and should move quickly to employ security experts to test the efficacy of a vendor's resilience to attack so that mitigations of fixes can be put in place. Registration and voter-roll systems should similarly have third-party penetration tests to identify vulnerabilities that need to be resolved.
6. Chris Stoneff, VP of security solutions, Bomgar:
“Election systems are air-gapped by their nature making remote tampering nearly impossible at any scale. However, election systems still have vulnerabilities, which is a fact of life. But these vulnerabilities are not too severe, as long as the systems are not connected to the Internet. Keep these systems disconnect from each other and off the Internet and there is no issue. Connect them to the Internet and you will never be able to make them “secure enough.” Slow down the collection and correlation of results by adding humans to manually bring together the data and you are good to go, which, by the way, is the way it is today and why election tampering is so rare. None of this affects malicious activity at the voting districts nor high level fraud – but, none of that is new.”
7. David Ginsburg, Vice President of Marketing at Cavirin:
“Though not a government action per se, at least in the United States, the social networks, in particular, must do everything in their legal power to protect against foreign or domestic actors that may attempt to influence the election through unscrupulous means. Facebook's recent actions to require additional disclosures for political ads is a step in the right direction. The other social and online news networks must follow suit.”
8. Gabriel Gumbs, VP of Product Strategy, STEALTHbits Technologies:
“Securing technology is as much about doing the basics as it is about preparing for the advanced. There are two basic areas that must be a primary focus when discussing securing the fall election cycle – the first is applying patches to known vulnerable systems or removing them from service where possible; the second is acknowledging and responding to known threats. During the last election cycle we saw various organizations ignore warnings of weaknesses.”
9. Sanjay Kalra, co-founder and Chief Product Officer at Lacework:
“The technology operations behind elections mirror the representative nature of our political structure. Many people, a variety of systems, and different approaches all have to work together to ensure the process runs according to specific goals and without being tampered with. This requires the integration and the correct configuration of many disparate cloud systems, but with the understanding that every cloud asset and connection presents risk and a broader attack surface. In order for elections to operate in a safe way, those responsible for the cloud architecture will have to rely on automated and continuous monitoring tools to maintain control over highly dynamic cloud environments.”
10. Michael Magrath, Director of Global Standards & Regulations, OneSpan
"The U.S. Election Assistance Commission's (EAC's) checklist for securing voter registration data suggests employing a risk-based approach to securing election systems. Access control and strong authentication should be focal points. Given the nefarious attacks in 2016, it is important that all staff and volunteers with access to the network are enrolled and issued user-friendly, secure multifactor authentication solutions. I certainly hope that governments use HAVA funds to harden their systems and processes."
Terry Ray, CTO, Imperva
“Campaigns, national committees, and any other organization affiliated with the election process must take stock of their stored data in all forms. They must know what data they have, where it's stored, who has access to it, when and how they access it, and most importantly, when is data access inappropriate. All of these controls exist today, but few of them are utilized due to a perceived complexity around data security. It's not hard, in fact, but these organizations need to start today if a repeat of the data fiasco of 2016 is to be prevented.”